Macquarie University ACCG3058: IS Audit Report on Canva Data Breach

Verified

Added on 2022/09/23

AI Summary

This IS audit report examines the 2019 Canva data breach, assessing the incident's impact and identifying vulnerabilities. The report highlights the need for data privacy controls, improved access control security, and secure gateways to mitigate risks. It includes an audit plan with objectives and procedures for wireless access points, remote management, and firmware. The audit questions and documentation needed are also included. The IS audit report provides control recommendations to address identified risks, such as data theft, loss of business data, data heists, phishing emails, and fraudulent activities. The report emphasizes the importance of implementing these controls to enhance the organization's security posture and prevent future data breaches. The report is a detailed analysis of the Canva data breach, providing a framework for understanding and addressing information security risks.

Running head: IS AUDIT
IS Audit
Name of the Student
Name of the University
Author Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1IS AUDIT
Executive Summary
Most of the commercial establishments all over the world are very much vulnerable to data
breaches. Social engineers are trying out new algorithms in each of the latest data breaching
incidents. An information Security audit is very much required to identify the potential
network vulnerabilities of a business who are using their private network.
This IS audit report shall be focussing on the data breach which occurred in Canva in the year
2019, the report shall be recommending that the use of data privacy controls, securing the
access control and securing the gateways could have avoided this data reaching incident in
Canva.

2IS AUDIT
Table of Contents
Introduction................................................................................................................................3
Background to the case..............................................................................................................3
Problem identification................................................................................................................3
Audit approach and potential solution.......................................................................................3
IS risks....................................................................................................................................3
Audit plan, objectives and procedures...................................................................................4
Audit questions and documents.............................................................................................6
Control Recommendations.....................................................................................................7
Conclusion..................................................................................................................................8
References..................................................................................................................................9

3IS AUDIT
Introduction
The gas of the current security system can be identified as Information Security audit
(Morkunas, Paschen and Boon 2019). The tools and technologies required to close the gaps
can also be identified from IS audits. All the data which holds information about the network
security can be analysed in a systemized modus with the help of an IS audit.
Background to the case
In the year 2019, personal information of 4 million accounts was compromised in
Canva (Canva Help Center 2020). The passwords of the user accounts were encrypted y the
social engineers, most of the user accounts which were compromised had the default
passwords. The data sets of their portal were altered by the social engineers which led to both
reputational loss as well as business loss for this web design service organization.
Diverse categories of technologies were used in the business environment of this
organization such as the Python, New Relic, Cloudfare, Comodo SSL, Java and nginx. The
business has stakeholders and subsidiary organization all over the world. Founded in the year
2012, this private sector organization is very much vulnerable to network security threats.
Problem identification
Bcrypt algorithm was used by the social engineers as they encrypted personal
information of the consumers of this business (Solove and Citron 2017). All the stakeholders
of this business organization was hugely affected as a result of this data security breach. US
Federal Bureau of Investigations heavily criticised the security breach as data from more than
18816 was exposed. After this security breach took place, Canva started to lose their revenue
in the international markets. Loss of trust among the potential consumers was the biggest
problem faced Cava after the security breach.
Audit approach and potential solution
IS risks
The diverse categories of IS risks which are related to the selected case study are data
theft with the help of the third party vendors, loss of essential data due to the concept of IT
shadow, inefficiency security policy of the organization where the data security breach
occurred, data heists which might be caused by the employees working in Canva, phishing
emails sent by the social engineers to compromise the organizational network of Canva, and

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4IS AUDIT
fraudulent activities which might be conducted by the social engineers using blockchain
technology (Cheng Liu and Yao 2017). The likelihood, level of risk and its implications to
this business can be understood in a detailed modus using the following table.
IS Risks Likelihood
(0-5)
Probability
(0-5)
Risk
Score
Level Implications
to the
business
Data theft 3 3 9 2 High
Loss of business
data
4 4 16 1 High
Data heist 3 2 6 4 Medium
Phishing emails 2 3 6 5 Medium
Fraudulent
activities
4 2 8 3 High
Table 1: Implications of the risk
(Source: Created by author)
Thus, based on the above table, it can be stated that the risk coming from loss of
business data and data theft can have the maximum impact on this commercial establishment.
Audit plan, objectives and procedures
Audit scope: There are numerous areas within the organization which has to be
audited such as the wireless access points, remote management of the organization and
firmware which are used to prevent any type of data security threats.
Audit criteria: The quality of the IT manual used in this organization shall be
checked to identify the security measures of the data entry points. The guideline of audit
management can play a huge role to identify the vulnerabilities related to the remote
management of the organization (Ablon et al. 2016). The configuration of the firmware has
to be checked in a detailed modus which will verify its effectiveness.

5IS AUDIT
Thus, it can be said that for each scope of the plan, an audit objectives and audit
procedures have to be planned. The ensuing section of this IS audit report shall be very much
useful to understand the audit objectives and procedures
Wireless access points
Objective 1: The prime objective behind auditing the wireless access points is to
secure the organizational data which flows inside or goes outside the business environment.
The entry points are the wireless access points which are used by all the stakeholders of the
business for different purposes. Standard WAP protocols are sometime compromised by the
attackers; as a result, this area needs to be checked so that the integrity of the business data is
maintained.
The procedure to secure the wireless access points considers the detailed examination
of the WPA passwords which are maintained by the workforces of the business (Shu et al.
2017). Different categories of the network shall be created to identify the vulnerabilities of
the access points. The name of the network shall be hidden for the users who are not a part of
this business (Othman and Arshad 2019). MAC authentication procedure is also very much
useful to understand the vulnerabilities of the access points.
Remote management
Objective 2: The session and the cookies of the systems which are used in this
business can be very much helpful for the social engineers to have control over the system
and eventually, the entire network. The audit of the remote management procedure is very
much required to secure the internal business network with the outside business.
The procedure of auditing remote management is very much different from the other
areas (Kozlovs, Cjaputa and Kirikova 2016.). In the first place a hypothetical situation shall
be created by the IT experts as if a data security breach is about to occur. Both the internal
and the external network of the business has to be checked before starting the actual auditing
procedure. Telework security policy has to be created in the first place for each employee of
the business, the policy must be created in such a manner so that the data about the server is
also obtained by the auditor (Cockcroft 2020). The server which is the network perimeter of
an business environment shall be examined first, based on that the entire internal network
shall be audited. The local security controls of the computer systems shall be audited in the
following step, after the conduction of this step, the effectiveness of the anti-virus software

6IS AUDIT
which are installed in most of the computer systems shall be checked. In the final step of
auditing the remote management, the encryption technique which is used in this organization
shall be evaluated.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7IS AUDIT
Firmware
Objective 3: Social engineers from all around the world can compromise an entire
network if the firmware of the organization is compromised by any means. Firmware can be
very much useful for the social engineers to control all the operations which are conducted by
the employees working in this organization. There are other reasons behind the need for
auditing the firmware used in this business as well, such as the security vulnerabilities of the
firmware.
The prime security vulnerability of the firmware is that it can be embedded with any
type of malware (Livshitz, Yurkin and Minyaev 2016). The code of the firmware is very
much similar to the other network security codes as a result of any sort of minor security
lapse can have a huge impact on the operational efficiency of the firmware. It is not secured
by the cryptographic signatures as well; hence it must be audited. The role of the hardware
makers of the firmware is very much significant to audit a firmware as the entire design of
the system might get disrupted due to the auditing procedure (Khakimov et al. 2017). All the
micro controller based applications which are connected to the firmware has to be secured in
the first place. All the unauthorized control of the firmware has to be checked on regular
intervals. All the communication channels of the firmware also has to be examined as these
channels might also invite the social engineers to get into the organizational network (Yang
et al. 2019). All the one-way functions of the firm shall be audited, at the same time it can
also be said that the AES-CCEM algorithm might be used to encrypt the firmware data such
as the version of the firmware, total number of packets and the packet numbers.
Audit questions and documents
The three examples of the interview questions which can be used to gather evidence
from Canva, including the relevant documents are as followings:
Objective 1: Wireless access points
 What are the wireless access points which are used in this organization?
 Are the WAP of Canva safe from both internal and external security threats?
 What are the other networking devices which are connected to WAP of this
organization?
 Are you aware of the drawbacks of using modems which are sometimes associated
with the wireless access points.

8IS AUDIT
The documentation which shall be asked for before auditing the wireless access points of
this organization is the field wireless access data point documentation.
Objective 2: Remote management
 Are you aware of the potential risks related to remote management?
 Which stakeholders of this business have their access to remote management?
 Are there any recent network downtime issues prior to the occurrence of this data
security attack?
Along with these questions, the documentation which shall be asked for is the entire
network management plan document where the roles and responsibilities of all the
stakeholders of the business is specified who has access to the remote management of this
organization (Chen et al. 2016). In the auditing procedure the network management plan shall
play a key role, it will be very much useful to categories the human resources who are
associated with the remote access of the network. It can be said that any type of threat coming
from inside this organization might be exposed with the help of this relevant document.
Objective 3: Firmware
 Are you aware of the design of the firmware which is used in this business?
 Are all the firmware of this organization updated with the latest security patches?
 What is the likelihood of the security breaches which might occur due to the use of
unpatched firmware as it can be embedded along with malware y the social
engineers?
The design template of the firmware which was used in this business shall be asked for to
understand the limitations associated with the firmware.
Control Recommendations
IS risks Recommendations Benefits of recommendation
Data theft Ensuring data privacy
controls for every business
unit of the organization
(Sharawi et al. 2017).
Security standard of the
organization shall be improved
by the data privacy controls.
Loss of business data Use of cloud computing is
very much recommended to
Network security cost of this

9IS AUDIT
address this IS risk
(Simeone et al. 2017).
organization shall be minimized.
Data heist Security of the access
control must be improved to
address this IS risk.
Security of the business data shall
be maintained.
Phishing emails Security gateways of the
organization must be
monitored
Data traffic can be monitored
using the security gateways
Fraudulent activities Monitoring of the
transactional data can
overcome this IS risk.
Anomalies of the business can be
identified by monitoring the
transactional data.
Conclusion
The deployment of the Bcrypt algorithm in the data breach has resulted in data
exposure of more than 4 million user accounts. The diverse categories of IS Risks related to
this data breaching event are data theft, loss of business data, data heist, phishing emails and
fraudulent activities. Loss of business data can have the maximum impact in Canva. The
areas which have to be audited in Canva are remote management, firmware and wireless
access points. This IS audit proposed few recommendations to address the IS risks and it
could have successfully avoided the data reaching procedure for which Canva lost millions of
potential consumers all over the world.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10IS AUDIT
References
Ablon, L., Heaton, P., Lavery, D.C. and Romanosky, S., 2016. Consumer attitudes toward
data breach notifications and loss of personal information. Rand Corporation.
Canva Help Center. 2020. Canva Security Incident - May 24 Faqs. [online] Available at:
<https://support.canva.com/contact/customer-support/may-24-security-incident-faqs/>
[Accessed 13 April 2020].
Chen, D.D., Woo, M., Brumley, D. and Egele, M., 2016, February. Towards Automated
Dynamic Analysis for Linux-based Embedded Firmware. In NDSS (Vol. 16, pp. 1-16).
Cheng, L., Liu, F. and Yao, D., 2017. Enterprise data breach: causes, challenges, prevention,
and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge
Discovery, 7(5), p.e1211.
Cockcroft, S., 2020. Securing the commercial internet: lessons learned in developing a
postgraduate course in information security management. Journal of Information Systems
Education, 13(3), p.7.
Khakimov, A., Muthanna, A., Kirichek, R., Koucheryavy, A. and Muthanna, M.S.A., 2017,
February. Investigation of methods for remote control IoT-devices based on cloud platforms
and different interaction protocols. In 2017 IEEE Conference of Russian Young Researchers
in Electrical and Electronic Engineering (EIConRus) (pp. 160-163). IEEE.
Kozlovs, D., Cjaputa, K. and Kirikova, M., 2016. Towards Continuous Information Security
Audit. In REFSQ Workshops.
Livshitz, I.I., Yurkin, D.V. and Minyaev, A.A., 2016, November. Formation of the
Instantaneous Information Security Audit Concept. In International Conference on
Distributed Computer and Communication Networks (pp. 314-324). Springer, Cham.
Morkunas, V.J., Paschen, J. and Boon, E., 2019. How blockchain technologies impact your
business model. Business Horizons, 62(3), pp.295-306.
Othman, S.H. and Arshad, M.M., 2019. A Conceptual Framework of Information Security
Database Audit and Assessment. International Journal of Innovative Computing, 9(1).

11IS AUDIT
Sharawi, M.S., Podilchak, S.K., Khan, M.U. and Antar, Y.M., 2017. Dual-frequency DRA-
based MIMO antenna system for wireless access points. IET Microwaves, Antennas &
Propagation, 11(8), pp.1174-1182.
Shu, X., Tian, K., Ciambrone, A. and Yao, D., 2017. Breaking the target: An analysis of
target data breach and lessons learned. arXiv preprint arXiv:1701.04940.
Simeone, O., Maeder, A., Peng, M., Sahin, O. and Yu, W., 2016. Cloud radio access network:
Virtualizing wireless access for dense heterogeneous systems. Journal of Communications
and Networks, 18(2), pp.135-149.
Solove, D.J. and Citron, D.K., 2017. Risk and anxiety: A theory of data-breach harms. Tex.
L. Rev., 96, p.737.
Yang, H., Liu, K., Xu, R., Chen, M., Chi, X., Cai, Y. and Jiang, T., 2019, December. Tracing
Source and Security Audit of Entity Behavior in Core Business of Power Grid. In IOP
Conference Series: Materials Science and Engineering (Vol. 677, No. 4, p. 042016). IOP
Publishing.