This is a follow up technical discussion and breakdown of the events that lead to the New York Department of Financial Services (NYDFS) issuing their first violations against NYCRR500 to the Fist American Title Insurance Company (First American). In our last blog post, we discussed a pending lawsuit from the NYDFS against First American for failure to adequately protect non-public information as required in 23NYCRR500 cybersecurity regulations.
Two Systems
First American relied on two integrated business critical information systems that facilitated the purchase of title insurance. FAST, is a document repository for all information collected across parties during the processing of customer information to determine eligibility for insurance. This system stored non-public information, including tax assessments, appraisals, credit reports, escrow balances, and account numbers, among other types of personally identifiable information (PII). Also involved was an information system known as EaglePro; a web application used by title agents and other employees to share documents in FAST with outside entities. A vulnerability in the EaglePro system, allowed access to documents stored in FAST. The vulnerability allowed anyone with a link to a document to access that document without authentication requirements. Additionally, links did not expire and parameters were sequential, meaning, by changing one number in a specific URI parameter, an attacker could access additional documents. The following is an outline and breakdown of mistakes that lead the NYDFS to issue charges against First American.
Key Mistakes
Key Mistake 1:
Employees who utilize the FAST system were required to tag sensitive documents by prepending a naming convention to the beginning of the document. This naming convention was intended to label any documents that may contain non-public information and/or PII. No automated capabilities or checks were performed on the documents to ensure they were adequately and properly being tagged. First Title relied on employees to consistently do the right thing and add the tags.
Key Mistake 2:
After applying an update in 2014, the EaglePro system introduced a vulnerability that allowed unauthorized access to documents in the FAST system for anyone who could access a link. Additionally, with the link, an attacker could manipulate a parameter in the uniform resource identifier (URI) to access a different document as the system utilized a sequential naming convention. Finally, the links had no expiration date, meaning access to the documents remained for years. The update was applied in 2014 and the vulnerability was identified by First Americans Cyber Defense Team (CDT) while conducting a penetration test on the EaglePro system in 2018.
Key Mistake 3:
The CDT communicated penetration test findings to stakeholders and application development team of the EaglePro system. The severity of the vulnerability was communicated over email and the application development team replied that the vulnerability should be “addressed as soon as possible.” However, the vulnerability never received the necessary attention to remediate its risk.
Key Mistake 4:
The FAST system stored over 850 million documents potentially containing PII and non-public information, 65 million had been tagged as having PII. Upon discovering the vulnerability, the penetration testing team took a random sample of 10 documents to review for PII. Additionally, the representative sampling methods used were inadequate and fell outside the range of appropriate confidence intervals. Although no PII was found in the 10 sampled documents, the CDT recommended the application team investigate further to determine if other documents contained PII. Finally, follow up to determine the extent of PII exposure was not conducted by the application development team. This resulted in an unrealized risk where the number of exposed documents was unknown.
Key Mistake 5:
Management failed to adequately assess and act on the risks associated with the vulnerability. Management stated that the vulnerability was classified as “medium severity” which lead them to believe the system did not contain PII or non-public information. However, employees of the company who utilize the system would have clearly known the system certainly stored and processes PII and non-public information. As stated above, it actually was a business process to do so. Therefore, management’s lack of understanding of the system and its importance to the business lead to the failure of managing the vulnerability adequately.
Key Mistake 6:
Due to the above, the error was never corrected. Additionally, the responsibility for addressing the vulnerability was issued to a junior employee. The vulnerability was included in a long list of items to fix, however the importance and severity was not highlighted in the list. Therefore, the junior employee did not prioritize the vulnerability and it remained for months. This was a direct violation of First American’s own policies for defined time frames in responding to and correcting identified vulnerabilities.
Key Mistake 7:
First American policies and procedures called for an assessment of risk for data stored and transmitted by any application. First American never performed a Risk Assessment on the EaglePro system. The type of data and sensitivity of the data in the system were never adequately documents in their security program plan.
Key mistake 8:
Because the system was public facing, a third party journalist identified and publicized the vulnerability. Instead of then correcting it, management rejected the recommendations from the third party which outlined two technical controls necessary for protecting the NPI.
Summary of Mistakes:
- Misclassification of data sensitivity
- Misclassification of risk rating
- Unknown locations and quantity of PII and non-public information
- Missing Risk Assessment
- Not following defined policies and procedures
- Inadequate vulnerability management process
- Miscommunications between management and staff
- Lack of Due Care follow up
Lessons Learned
For us at Rhodian, there are some major takeaways from this story and we’ll be keeping a close eye on the story to see how things unfold. A court case is scheduled for October, 2020.
Here’s a couple big lessons learned we’d like to highlight. First, even large companies with an established cybersecurity program can struggle. This is why we preach a top-down approach with buy-in from management to the help desk. Everyone needs to be involved, communicating, and following up (recursive cybersecurity) to ensure protections are in place, problems are addressed, and data is protected. Next, this scenario solidifies the distinction we constantly attempt to make. Cybersecurity is a process of documenting how you will address cybersecurity best practices but must be completed with follow-up actions. Documentation is necessary, but cannot live in a vacuum. Similarly best practices are necessary, but must be thoroughly considered and documented in a central location. Finally, cybersecurity must be integrated into the business, similarly how HR and accounting activities are necessary and continuous, so is cybersecurity.
We also observe potential mindset restrictions that may have lead to the exposure of the vulnerability. In our presentations, we often talk about optimism bias. Meaning, despite a statistical likelihood of something bad happening, the individual believes it won’t happen to them. Also, we see a clear failure to lead and follow up to ensure remediations take place.
Tracking vulnerabilities can be difficult and projects needed to secure the business can become lost over time. That’s why we incorporate a plan of action and milestones into all of our security program development efforts. Planning, tracking, and visualizing cybersecurity progress will help a team stay on task and avoid major mistakes like the one that occurred at First American. Reach out to Rhodian today to find out how we can help your company get on top of your cybersecurity program and meet your due diligence, due care, and compliance requirements.
