First American: DFS blames deficient security controls
September 02, 2020
The Department for Financial Services has alleged that the recently discovered security breach at First American can be put down to deficient security controls and a failure to properly prioritise a previously identified vulnerability.
Invariably, after a major breach comes the post-mortem and lessons to be learned. Since cybersecurity is a multi-faceted discipline, there are many perspectives from which we can look back with the benefit of hindsight. Some vendors make a habit of doing this and it can come across in bad taste, but that’s not the point. We don’t want to knock First American’s security team or play on their misfortune.
That being said, when that vendor is creating a category around ensuring security controls are working properly, it is very hard to not talk about a breach where security control failures are at play.
For a variety of reasons, such an incident could potentially have been if not avoided, then helped, with a new approach to cybersecurity, Continuous Controls Monitoring (CCM).
Getting some perspective on a vulnerability
As we said, there are many perspectives when it comes to lessons learned. The first perspective we will take is that of, well, perspective.
If you are a CISO and someone reports to you that there was an identified vulnerability on a Linux server somewhere in the organisation, how do you respond? On its own, this really doesn’t mean much. Especially given the hundreds if not thousands of other vulnerabilities that probably exist in any organisation.
Now, what if you got a report that there is an identified vulnerability on a Linux system that houses your customer’s Personal Identifiable Information (PII) and related data?
Now it has your attention.
Adding business context to other cybersecurity data is just one of the benefits of Panaseer’s approach to Continuous Controls Monitoring. We call this Business Risk Perspective (BRP).
First American had identified and misclassified a vulnerability as ‘low’ severity despite the fact that it affected PII, while also failing to investigate the vulnerability within the timeframe dictated by First American’s internal cybersecurity policies.
While the concept of BRP could have helped First American properly identify the risk, Continuous Controls Monitoring in its most basic form also enhances an organisation’s cybersecurity posture and addresses the most common causes of breaches: failed security controls.
I saw a tweet from Phil Venables (cybersecurity thought leader and Senior Advisor of Cybersecurity and Risk at Goldman) over a year ago saying:
‘A remarkably common pattern is that the control or controls that would have stopped the attack (or otherwise detected/contained it) were thought to be present and operational but for some reason were actually not – just when they were most needed… Many incidents are not due to a lack of conception of controls but due to failures of expected controls.’
This tweet has always stuck with me, partly because it is a very well put argument for Continuous Controls Monitoring, which is what we do at Panaseer. But also because it is relevant almost every time we see a new breach in the news.
Regulatory bodies and auditors are always using phrases like ‘security control weaknesses’, and, as in this case, ‘deficient controls’.
For me, phrases like these are both good and bad. Bad, of course, because the numbers on the end of these data breaches are real people whose livelihoods are subject to potentially devastating impact.
But on the other hand, as more cases come to light, more enterprises will start to ensure that their security controls are working as intended.
In May of this year, security researcher Brian Krebs reported that First American had leaked 885 million documents, some dating back as early as 2003. This information included: name, dates of birth, email addresses, home addresses, bank account numbers and statements, mortgage and tax records, Social Security numbers, transaction receipts.
There was a website design error that meant people were able to gain access to sensitive webpages without any form of verification. Once someone had found one of those documents, they could have accessed any of the other 885 million just by modifying a digit in the URL.
While Krebs noted that the exposed information could be a potential goldmine to phishers and scammers, a Forbes article pointed out that it’s hard to pinpoint how many people were affected. If everyone got lucky, then these sensitive documents could have been undetected until recently, but the worst-case scenario could be catastrophic – hundreds of millions of files stored by scammers to target companies and individuals.
Department of Financial Services’ response
Here’s what the NY DFS had to say about the First American breach:
‘DFS alleges multiple failures in First American’s handling of this extraordinary data exposure of sensitive consumer information, including:
- First American failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
- First American misclassified the vulnerability as ‘low’ severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American’s internal cybersecurity policies;
- After the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
- The title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
DFS alleges that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.’
The Continuous Controls Monitoring approach
There are a few quotes I wanted to highlight in the analysis from the DFS.
‘Neglecting to conduct a security review’
Continuous Controls Monitoring is exactly that – continuous monitoring of security controls. With CCM deployed, organisations no longer get snapshot security reviews but can get a real-time view of their security posture.
‘Failed to follow policies’
The first two bullets note that First American failed to follow their internal policies, whether reviewing their security posture, prioritising vulnerabilities, or investigating within a timeframe.
One of the key successes of Continuous Controls Monitoring comes from control checks. Based on your internal policies/ SLAs, control checks define the criteria used in checking that your controls are working effectively, so you can fully understand the context of what you are measuring and why you are measuring it.
CCM provides policy metrics on all entities (whether that is devices, databases, applications, people, accounts, or even vulnerabilities), highlighting those that are outside the required standards, and giving you scope for prioritisation.
Here’s an example dashboard that shows vulnerability detections spread across business processes like Swift or Trading Systems.
To put this into a little more perspective, First American would have been able to get a trustworthy view of the risks and vulnerabilities that existed within their network outside of policy/ SLA.
CCM would have been able to highlight that a vulnerability was still there and not remediated within SLA. With this visibility, the vulnerability mentioned in the second bullet could have been remediated more quickly, or at least demonstrated internal compliance to the regulatory body.
‘Failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.’
This one is particularly painful, as I’m sure any security professional will tell you. Likely this will have come down to a question of budget.
It’s always difficult to provide a return on investment when your key mark of success is that nothing happens.
Continuous Controls Monitoring can provide alleviation of the timely, manual effort involved in security reporting. Research suggests that security teams spend around a third of their time on reporting. Perhaps that resource could have been spent investigating vulnerabilities – which seems like a better use of a security experts time.
And thus, we come full circle. Though controls may have been in place, it is clear they were not up to policy. The whole point of Continuous Controls Monitoring is to provide assurance that your controls are working as expected, within policy.
I’ll refer back to that tweet:
‘Hence the need to conduct Continuous Controls Monitoring & treat control incidents as first–class events like security incidents. Validate continuously.’
Continuous Controls Monitoring – perhaps it could have helped in this example, perhaps not. Either way, as more high-profile breaches occur, I think the need becomes more evident.
As an emerging category in risk management, CCM aims to get the best out of an organisation’s existing security tools, bringing the data from all those tools together, providing a clear view of your security posture.
It’s far from a silver bullet, but getting answers you can get quick answers to simple questions will surely be a valuable step forward:
- Where are the gaps in your controls?
- Where aren’t you adhering to policy?
- What vulnerabilities will have the biggest impact on the business?
If you want to see more about Continuous Controls Monitoring, or get a closer look at the Panaseer Platform, please feel free to reach out to me personally or firstname.lastname@example.org.