First American demonstrates the need for vulnerability assessments
THE FIRST step to succeeding with cybersecurity is discovering vulnerabilities across the organization’s various digital surfaces and touchpoints.
First American Financial Corporation in the US learned this the hard way.
Recently, a US-based developer Ben Shoval discovered a vulnerability on the title insurance and settlement services provider’s website and reached out to cybersecurity reporter Brian Krebs.
“Shoval shared a document link he’d been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019,” Krebs said in his popular blogpost.
“Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time, indicating the document numbers may have been issued sequentially.”
Krebs’ review of the website revealed that about 885 million records related to mortgage deals were exposed — dating back 16 years.
The earliest exposed document was created in 2003 and the set collectively provided social security numbers, driving license numbers, bank account statements, and other critical personal details of those buying and selling real estate.
In his blogpost, Krebs clarified he did not have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).
According to a First American spokesperson, the company has taken immediate action once it learned of a design defect in an application that made possible unauthorized access to customer data.
To address the situation, the company has shut down external access to the application.
“We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed,” explained the spokesperson.
As the vulnerability has only been discovered recently, it might take a few weeks to learn about the full extent of its impact — however, the incident provides a very important lesson to companies creating their own cybersecurity strategy.
Start with a vulnerability assessment
“We take it very, very serious and first of all, we structure our databases and our operating systems,” First American CEO Dennis Gilmore said about cybersecurity way back in 2015.
“It’s an issue that we continue to spend a lot of time on both operating at the board level and at the committee level, something we take very serious and we watch very, very closely.”
The exposure, however, isn’t because the company doesn’t make an effort to improve its cyber defence but because it missed this specific vulnerability while formulating its strategy.
For most companies today, cybersecurity is among the top priorities in the boardroom and a top concern for managers.
With more data being collected and regulatory requirements surrounding data protection and privacy getting more strict, it’s natural for companies to spend more on acquiring new capabilities and solutions to protect customer data.
However, the reality is that the first step to cybersecurity must include a strong vulnerability assessment.
According to the Information Systems Audit and Control Association (ISACA), vulnerability assessment is an integral component of a good security program.
In fact, a well-functioning vulnerability management system, including testing and remediation, is often cited by industry standards and regulatory bodies as an essential requirement for security and mandatory for compliance.
The non-profit international professional body also points out that although vulnerability assessment is a great starting point, it isn’t a one-time exercise.
Continuous monitoring and review are critical to ensure that new vulnerabilities aren’t created as a result of new systems and solutions being implemented.
Further, it’s important to remember that as the internet of things (IoT) and flexible work policies (including remote working) come into play, an organization’s vulnerabilities naturally increase.
While we’ll have to wait and watch how First American and US-based regulators deal with the exposure of 885 million critical records for the past 16 years, here are some four types of vulnerability assessments that businesses must consider to protect themselves:
# 1 | Network-based scans
“Network-based scans combine host and service discovery with vulnerability enumeration,” according to ISACA.
Such scans essentially help businesses identify the devices that connect to a network, match their type, and find the potential points of attack.
Network-based scans are especially useful in environments that adopt a bring your own device (BYOD) policy or allow for external devices to connect.
# 2 | Host-based scans
“Host-based scans are executed from the target computer or are remotely controlled with authenticated account access to the target computer.”
Often, these are more effective than network-based scans because the latter might miss weaknesses that can be exploited by a local user logged into their systems.
Since host-based scans review a system’s configuration settings, patch details, while also covering ports and services that are also visible to network-based scans, they often provide greater visibility into vulnerabilities.
# 3 | Wireless Network scans
“Wireless scans of an enterprise’s Wi-Fi networks focus on points of attack in wireless network infrastructure.”
According to ISACA, wireless network testing validates that an enterprise’s networks are securely configured and validates that strong encryption is enabled and default settings are changed.
Such scans also help identify rogue access points that pose as legitimate wireless networks of either an enterprise or a hotspot, such as a local coffee shop, to trick victims into joining an attacker’s network.
# 4 | Application scans
“Application scans typically focus on websites to discover and enumerate software vulnerabilities and misconfigurations.”
During penetration testing, assessors often use manual tests or exploit kits, says ISACA.
However, software-centric Dynamic Application Security Testing (DAST) tools help detect vulnerabilities that are unique to web software — such as cross-site scripting, insufficient input validation, and sensitive data exposure.
In other words, DAST tools are most effective when organizations look for vulnerabilities to guard themselves against.