Enterprises Urged to Hack Own Networks in Wake of Equifax Data Breach | eWeek

CISOs Urged to Hack Their Own Networks to Find Security Weaknesses

cyber attack
Nov 9, 2017
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

NEW YORK—Chief information Security Officers (CISOs) and technology professionals gathered for Gigamon’s Cybersecurity Summit here Nov. 8 to get some sobering news from researcher Brian Krebs on the current state of the enterprise IT security.

One of his key observations is that today’s big breaches are likely yesterday’s news for seasoned cyber-attackers. The recently-disclosed Equifax breach may have grabbed headlines and led to some hasty executive departures at the company, but it came as no surprise to Krebs.

The millions of names, addresses and other personally identifiable information pilfered from the credit bureau’s servers have “been out there for years,” he said.


“These identifiers—name, date of birth, social security numbers, mother’s maiden name, address, previous address, phone number—all of this stuff has been compromised a hundred times over in the last decade. More importantly, it’s broadly for sale in the cyber-crime underground,” Krebs said during a keynote address.

To illustrate his point, he showed a screenshot of his own personal information as it appears in a dark web marketplace, with some strategic blurring of especially sensitive information, of course.

It’s cold comfort for the millions of consumers affected by the Equifax breach and others like it, but businesses can help prevent future incidents with a change of perspective. Rather than reflexively seek out new-and-improved security systems, Krebs suggested that enterprises assume they have already been compromised and let that mindset guide their IT strategies.

As it turns out, companies with a good track record of keeping a tight lid on sensitive information explore a world beyond periodic penetration testing and routinely hack themselves.

They have “red teams,” IT security personnel who seek out and essentially attack their own networks, on both sides of the firewall. “Blue teams,” meanwhile, monitor their networks and IT services, mounting defenses in an attempt to thwart their colleagues. At the end of the day, they compare notes, take the appropriate steps to harden their networks based on their findings and do it all over again the following day.

Preventing another Equifax-scale breach may also require that businesses reexamine how they configure their networks, according to Edward Amoroso, CEO of cyber-security advisory and training firm TAG Cyber.

“If you’re running a perimeter [security] architecture, then you’re a sitting duck,” warned Amoroso during a CISO panel, stressing that what befell Equifax can happen to any organization relying solely on firewalls and other perimeter security solutions. “Perimeter architecture is not going to stop a determined hacker.”

One way to stop hackers or at least slow them down is to “completely explode the network and redistribute defenses,” said Amoroso. Using micro-segmentation, virtual servers, containers and other technologies, “exploded” networks make it tough, not to mention time-consuming, to mount an effective attack compared to monolithic approaches.

Krebs also recommended that CISOs think beyond compliance. If a company’s cyber-security efforts don’t extend beyond the requirements set by HIPAA, Payment Card Industry and other standards, it’s only a matter of time until attackers exploit the blind spots created by a narrow view of data security.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.