Southern New Hampshire University Security Controls Case Study Analysis Paper

Description

Overview

In this module, you learned about some of the common attacks affecting businesses and organizations and the defenses they must put in place to reduce the risk to their systems and to any private information that should not be publicly accessed. Security controls take many forms and can be categorized into three main groups: administrative, technical, and physical controls. As you also learned, you can have a control in each group protecting the same asset, meaning you have layered your defenses.

In this activity, you will read about how First American Financial Corporation (FAF) exposed over 85 million records on its public website in 2019. Not only were these records exposed, but the company was not aware of the breach until it was notified by renowned security expert Brian Krebs.

For this weeks activity:

Read the case study and the articles provided in the Supporting Materials section.
Consider ways in which First American Financial Corporation could have proactively defended against the record breach.
Respond to the provided case study questions.

Prompt

Case Study: In 2019, one of the largest data breaches in history occurred when First American Financial Corporation, a real estate title insurance company, exposed over 885 million records on its public website. Included in these records was information such as Social Security numbers, bank account information, images of drivers licenses, mortgage statements, tax documents, and wire transfer records dating all the way back to 2003. The company was not aware of the problem until it was notified by security expert Brian Krebs, an outside source.

A real estate developer outside of FAF first noticed this concern when they found that anyone who knew the URL for a valid document could then access any other document simply by changing a number in the URL. The companys website, firstam.com, was leaking hundreds of millions of private documents not intended to be viewed by just any user. This means that any individual who had previously been emailed a link from FAF could possibly gain access to a plethora of sensitive and private documents. No authentication was required in order to access these documents, nor were they protected in any other way. This left a lot of personal and private information exposed for those with malicious intent to use in nefarious ways, for example, identity theft.

When FAF was notified of the breach, it shut down its website and immediately conducted an internal review. The initial findings noted that there was a design defect in an application that made possible unauthorized access to customer data (Newman, 2019). The identified defect could be referred to as a business logic flaw, which is a category of vulnerabilities specific to an application and business domain . . . [It] allows an attacker to misuse the application by circumventing the business rules of the application (Conikee, 2019). Only a user with an appropriate link would be able to access these documents. However, a user would not be asked to verify their identity. Therefore, access was easy and unauthenticated.

References

Conikee, C. (2019, July 26). 3 takeaways from the First American Financial breach. DarkReading. https://www.darkreading.com/breaches/3-takeaways-f…

Newman, L. H. (2019, May 24). Hack brief: 885 million sensitive financial records exposed online. Wired. https://www.wired.com/story/first-american-data-ex…

Supporting Materials

These articles will provide you with greater insight into the scenario provided and help you prepare for your response to the case study questions:

Case Study Questions

How did this breach occur? Briefly summarize the incident.
Which pillars of the CIA triad were explicitly violated, given the scenario?
What kinds of security controls could First American Financial Corporation have put in place to defend against this kind of data breach? Why?