Equifax data breach on 29th Jul 2017 tell the world Apache products more vulnerable than Microsoft Web server products

We believed that Apache web server more secure than Microsoft IIS Web server so far. However the most recent security incidents told the world the products of Apache not secure anymore! For instance, a critical vulnerability on Apache Struts encountered a serious vulnerability on Mar 2017 (CVE-2017-5638). As of today, there are total 4 vulnerabilities (CVE-2017-5638,CVE-2017-7672,CVE-2017-9787,CVE-2017-9791) which jeopardize Enterprise firms. It looks that the slogan “Apache products more secure than Microsoft web products” is not valid anymore! Remark:¬†When I was young, a black pig symbol let the kindergarten student understand their performance. We now know both brand name are receiving black pig stamp chop.

What will be the impact?

For more details, please see below url for references:

4-traders.com (APACHE-CORPORATION)

http://www.4-traders.com/APACHE-CORPORATION-11664/news-twitter/Apache-Struts-2-Puts-1000s-of-Web-Apps-at-Risk-839983316954697728/

Looks negative Cisco also the victim on this case. For more details, please see below url for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Cisco announced that no workarounds available in the moment. However if your IT campus install Snort IDS. New yara rules will be fight against the attack. It looks that cyber attack is one of the business development channel!

Responsibility and Realistic

About Equifax data breach on 29th Jul 2017, CIO and CSO are retiring. The flaw focusing to the company with poor software patch management. The investigation team highlight two major problems. The company are using open source and without update the patch on Apache struts product immediately. But think it over, the server side contained client credit card information. It looks that no one else is going to discuss the comments on PCI QSA security assessment report. To be honest, if the classification level of data includes in PCI security requirement. A question you might voice out. What is the responsibilities on payment card industry authority of this incident?

How serious will democracy be concerned about this matter? see below url for reference:

https://www.govinfosecurity.com/blogs/top-democrat-likens-equifax-to-enron-as-ftc-launches-probe-p-2547?rf=2017-09-18_ENEWS_SUB_GIS_Slot1&mkt_tok=eyJpIjoiT0RsbE1HVTNPRGN4TVdWaSIsInQiOiJmKzliT2dYRVpPd3ppSUVBWkpxRmM0TUZrNWpDQ0NSUjE1XC90UnNwU0RGMmMwOWRUc084SENEcG5VdFBUdjVjR0tQR2g4XC96ejQyMjlJTHYxR3haaG9QK2ZBTFZvbThkbHJvT1JWdTJVYlpMSE1jUWplOHBXanFhUEhcL3c1QkdDdiJ9

PCI regulations highlights

20,000 to 1 million: 
Level 3 Secure a regular network scan by an Approved Scanning Vendor Do an annual Self Assessment Questionnaire Complete an Attestation of Compliance 

1 to 6 million: 
Level 2 Secure a regular network scan by an Approved Scanning Vendor Do an annual Self Assessment Questionnaire Complete an Attestation of Compliance 

6 Million plus: 
Level 1 Secure a regular network scan by an Approved Scanning Vendor Have a Qualified Security Assessor do an annual Report on Compliance Complete an Attestation of Compliance