Module 2 Assignment - Case Study FAF Corp Data Breach PDF

Preview

Summary

Module Two Assignment...

Description

IT 253: Computer Systems Security Case Study: First American Financial Corporation Data Breach 3/13/2021 Harry Watwood Southern New Hampshire University

How did this breach occur? In May of 2019, a data breach was discovered at First American Financial Corporation. This data breach exposed 885 million sensitive documents. These documents included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, social security numbers, and photos of driver’s licenses of FAF customers. These documents were stored on the Company’s website. (Dellinger, 2021) The breach occurred because of a website design error known as Insecure Direct Object Reference or IDOR. FAF would send a link via email to their website designated for a specific user. The problem being that accessing the website through the link contained no method to verify who was accessing the information. Anyone who obtained the link could view any documents by modifying the link address. In addition to the lack of verification, the document numbers were serialized so changing the numbers in the link would allow total access to the document repository. Which pillars of the CIA Triad were explicitly violated, given the scenario? The CIA Triad consists of 3 primary concepts: Confidentiality, Integrity, and Availability. Confidentiality refers to the ability to protect data from those who are not authorized to view it. Integrity is the ability to prevent unauthorized or undesired changes to the data. Availability means having access to the data when needed. (Andress, n.d.) The FAF data breach touched all three concepts of the CIA Triad. The confidentiality of the data was not maintained because it was accessible by anyone who figured out the vulnerability and how to manipulate the link address. The integrity was comprised because anyone could obtain the documents and perform unauthorized changes. And the availability was

affected because, due to the website design flaws, the website was shut down for a period of time to correct the vulnerabilities. What kind of security controls could FAF Corp have put in place to defend against this kind of data breach? Several recommendations come to mind that would have prevented these vulnerabilities. If a risk management process had been in place, these flaws would have been identified and corrected. Also, defined testing processes could have uncovered these flaws. A risk management process consists of identifying assets, identifying threats, assessing vulnerabilities, assessing risks, and mitigating those risks. (Andress, n.d.) The asset involved would have been the sensitive customer data. Then the CIA Triad would be used to identify the threats to the asset. Once you have identified your threats, then you can assess the vulnerabilities and risks. The last step is to determine how you will mitigate the risks. Mitigations consist of implementing controls to account for each risk. Controls are divided into three categories: physical, logical, and administrative. The primary control I would recommend would be a logical control. Authentication and authorization measures should have been implemented for website access. Regardless of the link that was sent, any person accessing the website through the link should have been required to enter a login and password. Another control that should have been implemented would be documented testing scripts. This would consist of performing testing in a controlled manner ensuring that processes are performed in a specific order. As I have learned in my short IT career, user testing is critical to validating controls. Users are key to exposing any vulnerability in a system.

References 3 Takeaways from the First American Financial Breach. Dark Reading. (2021). Retrieved 11 March 2021, from https://www.darkreading.com/breaches/3-takeaways-from-the-firstamerican-financial-breach/a/d-id/1335278. Dellinger, A. (2021). Understanding The First American Financial Data Leak: How Did It Happen And What Does It Mean?. Forbes. Retrieved 11 March 2021, from https://www.forbes.com/sites/ajdellinger/2019/05/26/understanding-the-first-americanfinancial-data-leak-how-did-it-happen-and-what-does-it-mean/?sh=6e314917567f. Newman, L. (2021). 885M Financial Records—Dating Back 16 Years—Exposed Online. Wired. Retrieved 11 March 2021, from https://www.wired.com/story/first-american-dataexposed/. Andress, J. Foundations of information security....