First American financial aftershock and the need for cyber resilience

Image credit: Shutterstock

IT and security professionals have a huge range of tools and technologies at their disposal to help combat data and device security risks. In fact, global spend on information security is predicted to exceed $124 billion in 2019, according to Gartner. Despite this, every week it seems there is news of another high-profile data breach. 

In fact, just as Memorial Day Weekend rolled around, independent security journalist Brian Krebs broke the news that “the Web site for Fortune 500 real estate title insurance giant First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals” and adding that “First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years.”

If this breach had been an earthquake, the 885 million records exposed on First American's website would have registered 8.85 on the Richter scale. Although in this infosec scenario you are unlikely to see FEMA rushing to aid those individuals who are impacted and there’s no sign of the Red Cross, data exposure truly affects the lives of real people – shattering their digital safety and wreaking financial and identity havoc on their livelihood. 

Stay with me on this earthquake parallel. Scientists still can’t predict earthquakes nor calibrate the probabilities of specific locations. But that hasn’t stopped engineers from making buildings more resilient. Like earthquakes, IT and security teams cannot fully predict if and when a breach could occur. The overwhelmingly complex world will generate data quakes in profusion.

But if we can mitigate earthquakes, the most unpredictable natural disaster, it would stand to reason, then we can mitigate data disasters with strong IT and security measures. So what did the quake-proof engineers do to resist the force of nature? They focused on resilience.

Image credit: Shutterstock

Image credit: Shutterstock

(Image credit: Image Credit: BeeBright / Shutterstock)

The case for cyber resilience

That’s the lesson IT and security leaders must learn. Resilience is their most critical need in the face of changing threats, ever-present vulnerabilities, and a sprawling attack surface.

We cannot predict which system, attacker, bug, misconfiguration, or insider will push our tectonics, which is why the typical ambition of ‘hardening’ is misconceived. We do not need harder systems, controls, apps, and agents. Rigid things break. Just look at the building codes when we thought dense material could counter a quake.

Like those who reside in quake-prone regions, for decades IT security teams began each morning with the assumption of risk. After all, we live in a world that has plenty of danger, both physical and digital.

Now, we start to see that assumption of risk transform into the assumption of compromise. 

In the case of First American, Krebs notes “I should emphasize that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested,” but he acknowledges that “a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker” and “the information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters.” 

Whatever the method of assault, it’s generally important to keep in mind that flexibility, not rigidity, is what makes a system withstand it. This means we need insights and intelligence drawn from real-world activity from every stitch of the IT environment. This evidence-based approach -- drawing from IT intelligence -- is what leads organizations forward. It informs every decision and models the possible outcomes. 

Next, we must expand our imaginations. We don’t know which control, app, agent, data store, or cloud instance will be targeted next. But by ensuring our critical controls can persist through anything, we edge closer to resilience.

Start small to succeed

And finally, on the heels of the First American incident, it’s a reminder to start by making simple improvements – focus on people, processes, and technology – just as an engineer would implement building retrofits. We may think “There’s no time for that.” But, neither earthquakes nor cyber threats have a season. They can cause devastation at any time without warning. So, in seismic safety fashion, better to replace those rigid plumbing supply lines with flexible ones now. 

I encourage us all to open our imaginations to the possibilities, expand our horizons to extract intelligence from our IT environment, and infuse persistence and resilience into every thread of the fabric.

Josh Mayfield, Director of Security Strategy at Absolute