CANVA RISK IDENTIFICATION AND ASSESSMENTTable of Contents

CANVA RISK IDENTIFICATION AND ASSESSMENTTable of Contents

TOC o "1-3" h z u

EXECUTIVE SUMMARY PAGEREF _Toc134119764 h 3INTRODUCTION PAGEREF _Toc134119765 h 4RISK ASSESSMENT PAGEREF _Toc134119766 h 6RISK IDENTIFICATION PAGEREF _Toc134119767 h 6RISK ANALYSIS PAGEREF _Toc134119768 h 10RISK EVALUATION PAGEREF _Toc134119769 h 11CONCLUSION PAGEREF _Toc134119770 h 13REFERENCES PAGEREF _Toc134119771 h 14

EXECUTIVE SUMMARYThe goal of this research is to do a risk analysis of Canva, an online design firm that had a data breach in 2019 and lost the encrypted passwords and partial payment information of about 140 million members. The risks connected with the event are identified, analyzed, and evaluated in the report using the NIST CyberSecurity Framework (CSF) [1]. The event may have lasting effects on Canva's brand, client confidence, and bottom line, according to the research. To avoid further data breaches and restore user confidence, the research suggests that Canva increase its spending on security and privacy. Several vulnerabilities were identified during the risk assessment process as potential causes of the breach. These vulnerabilities included: insecure APIs, inadequate data encryption, unpatched software, weak passwords, and a lack of security awareness training.

Overall, the risk is high since both the chance and possible effect of the breach were rated as high. Canva wasted little time in responding to the attack by locking down accounts, invalidating passwords, and alerting users. The corporation has made substantial investments to restore consumer confidence by encrypting server data and sending encrypted data via network infrastructure.

After a thorough risk assessment revealed that the breach posed a significant threat, the proper countermeasures were put into place. Canva's reaction to the intrusion highlighted the value of well-thought-out security measures and incident response strategies.

As a whole, the Canva data breach emphasizes the need to give top priority to cybersecurity and to take active steps to both avoid and react to occurrences. To lessen the blow of a data breach, businesses should do frequent reviews of their security measures, educate employees on best practices, and develop incident response plans. The consequences of not doing so may be disastrous for an organization, both financially and otherwise.

INTRODUCTIONCanva, an online platform for designing graphics, was the victim of a data breach in May 2019, which caused the firm to lose the encrypted passwords and partial payment information of over 140 million of its customers. Canva is situated in Australia. The security vulnerability was discovered on a Friday, and the hacker, who goes by the name Gnosticplayers, obtained a list of around 4 million Canva accounts that included passwords. These passwords were eventually encrypted and made public on the website. The attacker was also responsible for tipping off the business news website ZDNet, which then informed the general public about the security incident[2]. Canva's brand, the faith of its customers, and the company's financial health might all take a big hit as a result of this occurrence. A risk assessment of Canva is going to be carried out with the help of the NIST CyberSecurity Framework (CSF), which is the goal of this report.

In the modern digital era, data breaches are becoming more widespread, and hackers looking to steal sensitive data are targeting businesses of all sizes and in a variety of sectors. In 2019, the Australian design business Canva was the victim of a large data breach that exposed the personal information of approximately 140 million customers. This information included usernames, email addresses, encrypted passwords, and partial payment details. The hack occurred in Australia. Canva was dealt a major blow as a result of the event, and the company has subsequently made significant efforts to regain the confidence of its users and enhance its security safeguards.

This paper will present an in-depth study of the data breach that occurred at Canva, focusing on the different threats and flaws that enabled the hackers to obtain unauthorized access to the company's systems. The first step in this research project will be to determine the assets, threats, and vulnerabilities that are connected to the incident. After that, it will analyze each of the detected hazards, taking into account the possibility of each risk as well as the possible effect of each risk. In the last section of the paper, an overview of Canva's risk response will be presented. This section will emphasize the efforts the firm did to reduce the effect of the breach and avoid future occurrences that are comparable to the one that occurred will be discussed.

The data breach that occurred at Canva should serve as a lesson for companies all across the globe. It illustrates the terrible repercussions that may result from insufficient security procedures and brings to light the need of maintaining constant attention and making improvements. The danger of cyberattacks will only continue to rise as the world becomes more linked and dependent on digital technology [2]. As a result, businesses must establish stringent security measures and remain current on the most recent threats and vulnerabilities.

This article intends to give helpful insights and lessons gained from the data breach that occurred at Canva. It also provides enterprises who are trying to better their security posture and secure the data of their users with ideas and guidance that are both practical and actionable[4]. This paper will give a road map for organizations who are aiming to avoid similar events and defend their reputation, financial stability, and customers' confidence by analyzing the core causes of the Canva breach and detailing the methods taken to reduce its effect.

SCOPE

This data breach that Canva experienced in May 2019 will serve as the primary focus of the scope of this risk assessment. Because of the breach, the personal information of about 140 million users, including their encrypted passwords and some of their payment information, was compromised and lost. The purpose of the risk assessment is to determine the possible dangers that are linked with the breach. These risks may include major vulnerabilities or defects in Canva's system, as well as threats that may have been instigated by hostile actors.

The main purpose of the risk assessment is to determine whether or not there is a possibility that Canva's business operations or reputation may be jeopardized. As a result of the evaluation, the organization will be better equipped to take the necessary precautions to safeguard the security, integrity, and availability of user data against any future data breaches. Canva will be able to adopt the proper security controls and procedures to effectively reduce the risks once the evaluation identifies vulnerabilities and threats.

This investigation will only cover the data breach occurrence and will emphasize the possible dangers that are connected to the breach[6]. In order to guarantee that Canva is complying with its legal duties, the evaluation will, where applicable, take into account any relevant legal compliance limits.

The evaluation will be carried out by a group of knowledgeable specialists who will use a strategy that is both methodical and all-encompassing to locate, evaluate, and rank the risks. The team is going to investigate Canvas security policies, processes, and practices to see whether they comply with the standards and best practices that are currently prevalent in the industry. The implications of the risks for Canva's business goals, its stable financial position, and its reputation will also be taken into account throughout the evaluation.

The results of the risk assessment will be provided in a thorough report, which will contain an analysis of the risks that have been discovered, as well as their probability, and possible effect, as well as suggestions for minimizing the risks. A risk management strategy will also be included in the report. This plan will detail the actions that Canva has to take in order to successfully mitigate the risks that have been identified.

In a nutshell, the scope of this risk assessment is concentrated on the data breach event that took place in May 2019 and the possible hazards that were related to it. The purpose of the evaluation is to identify possible weak spots and dangers, determine how likely they are to occur and what kind of damage they may do, and then provide suggestions for how the risks could be successfully mitigated. An experienced group of individuals will carry out the evaluation, which will take into account any legal compliance limits that may exist to ensure that Canva complies with its legal duties.

RISK ASSESSMENTRISK IDENTIFICATIONThe process of risk management begins with the identification of risks, which is an essential stage. It requires determining and documenting the assets, threats, and vulnerabilities that are connected to a certain risk. In the instance of the data breach at Canva, the process of identifying the risks involved required identifying the assets that were at risk, the threats that were posed to those assets, and the vulnerabilities that made it possible for those threats to occur.

Assets at Risk

In the recent data breach that affected Canva, the sensitive information of almost 140 million users was exposed and put at risk. These particulars consisted of encoded passwords, information on incomplete payments, and several other pieces of personally identifiable information (PII). Personal identifying information (PII) is sensitive information that may be used to identify a person and thus is often the subject of fraud or identity theft committed by cyber criminals.

Threats

The hostile actors that attempted to obtain unauthorized access to the company's systems in order to steal sensitive data posed a danger to the assets that were compromised as a result of the data breach at Canva. Cybercriminals, hackers, and even risks from inside an organization may all fall under the category of malicious actors [3]. These dangers may originate from a wide number of places, including the internet, social engineering, and direct assaults on individuals.

Vulnerabilities

Canva's security procedures had several flaws, which led to the company's data being compromised, and those flaws were the vulnerabilities. Inadequate access restrictions, old software, weak passwords, a lack of multi-factor authentication, insecure APIs, insufficient data encryption, and a lack of security awareness training were some of the flaws that led to this situation.

Risk Assessment

The process of evaluating risks included determining the chance of occurrence and the possible effect of each risk that was found. Using this method, we were able to prioritize the risks and establish solutions to mitigate those risks.

Outdated Computer Programmes

The danger that was thought to be connected with using obsolete software was deemed to be considerable. As a result of the ease with which obsolete software may be exploited by malicious actors, it was determined that the possibility of this danger was significant. The potential effect of this risk was also deemed to be significant, since it may have enabled attackers to obtain unauthorized access to Canva's systems and steal sensitive data. Both of these outcomes would have had a negative impact. Applying timely security updates and updating software to the most recent version were both essential components of the risk mitigation plan developed for this issue.

Weak Passwords

It was believed that there was a significant amount of danger connected with using inadequate passwords. As a result of the ease with which weak passwords may be guessed by attackers, it was determined that the chance of this danger was likewise high. It was determined that the potential effect of this issue was significant, since it may have enabled attackers to obtain unauthorized access to user accounts and steal sensitive data. In order to reduce the likelihood of this risk occurring, the risk mitigation approach called for the implementation of stringent password regulations and the provision of security awareness training to both workers and users.

Insufficient Use of Multiple Authentication Factors

It was believed that the absence of support for multi-factor authentication was a significant security concern. As a result of the ease with which adversaries may get unauthorized access to user accounts in the absence of a second factor of authentication, it was determined that the chance of this risk was similarly significant. It was determined that the potential effect of this issue was significant, since it may have enabled attackers to obtain unauthorized access to user accounts and steal sensitive data. The implementation of multi-factor authentication for all user accounts was the risk mitigation technique that was chosen for this particular issue.

APIs that are not secured

Unsecured application programming interfaces were thought to carry a significant amount of danger. As a result of the ease with which attackers may get access to user data using insecure APIs, it was determined that the possibility of this risk is significant. The potential effect of this vulnerability was also thought to be severe since it might have given attackers unrestricted access to user data. This may have resulted in a security breach. In order to reduce the likelihood of this risk occurring, risk mitigation strategies included putting secure API practices into place and routinely monitoring API traffic for unusual behavior.

Inadequate Levels of Data Encryption

It was determined that there was a significant amount of danger connected with inadequate data encryption. Because it is so simple for malicious actors to get their hands on unencrypted data, the likelihood of this risk was also deemed to be high. Because of the potential for this risk to enable attackers to steal sensitive data, the potential effect of this risk was also evaluated to be significant. Implementing stringent encryption standards for all sensitive data was one of the strategies for mitigating risk that was considered for this risk.

Lack of Awareness Training Regarding Security

It was determined that there was a significant amount of danger connected with a lack of security awareness training. Due to the possibility that Canva workers and users might not get appropriate training to recognize and circumvent potential security risks, the chance of this risk was also evaluated as being high. As a consequence of this lack of training, workers may unwittingly introduce vulnerabilities to the system, such as by making use of weak passwords or by failing to properly encrypt sensitive data. This may be the case if the employees are not aware of the potential risks.

A lack of security awareness training might lead to a breach of sensitive data, which could result in harm to Canva's reputation, financial loss, and legal responsibility. This risk was rated as having a high potential effect because of the potential for it to lead to a breach of sensitive data. In addition to this, the corporation might be subject to regulatory sanctions for failing to secure customer data acceptably.

Canva may want to consider putting its workers and users through a rigorous security awareness training program in order to reduce the impact of this issue. This training program should cover a variety of issues, including social engineering strategies, phishing awareness, password security, and data encryption[7]. The training should be given regularly, and participation in it should be required of all workers and users. In addition, Canva might do regular security audits and penetration testing to identify security flaws in the system and confirm that its security safeguards are working properly.

Social Engineering Attacks

It was determined that there was a significant danger involved with social engineering. Because social engineering is a common strategy utilized by attackers to gain access to sensitive data, this risk's likelihood was also evaluated as high during the risk assessment process. Due to the possibility that social engineering assaults might result in a breach of sensitive data, the potential effect of this risk was rated as high. This breach could harm Canva's reputation, cause financial loss, and expose the company to legal responsibility.

Canva might take steps to limit this risk, such as multi-factor authentication and staff training programs, to prevent workers from accidentally disclosing sensitive information. These programs would help ensure that sensitive information is not disclosed[4]. In addition, Canva might do regular security audits and penetration testing to identify security flaws in the system and confirm that its security safeguards are working properly.

Inadequate Levels of Data Encryption

It was determined that there was a significant level of danger linked with inadequate data encryption. Because improper encryption of sensitive data might lead to a breach of sensitive data, the chance of this risk was determined to be high during the risk assessment. Because a breach of sensitive data might result in harm to Canva's reputation, financial loss, and legal responsibility, this risk was evaluated as having a high potential effect and given a high score.

Canva might employ stringent data encryption techniques to secure sensitive data in order to reduce the likelihood of this danger occurring. The use of robust encryption methods, consistent encryption key rotation, and data encryption when the data is at rest are all examples of this. In addition, Canva might do regular security audits and penetration testing to identify security flaws in the system and confirm that its security safeguards are working properly.

RISK ANALYSISAn essential step in protecting a business from harm is doing a thorough risk analysis of all possible threats. Canva's data breach was caused by various factors, including insecure APIs, inadequate data encryption, old software, weak passwords, and a lack of security awareness training and social engineering.

Many businesses are vulnerable due to the use of outdated software. The threat comes from running software with known vulnerabilities or malware without the latest patches. Keeping all software up to date and applying patches as soon as they become available helps reduce vulnerability. Canva's hackers may have gained access to the system via security flaws caused by the software's age.

Weak passwords pose a serious threat to businesses. Weak passwords make user accounts vulnerable to brute-force attacks and password guessing. Canva may have prevented this security breach by enforcing stricter password policies or using multi-factor authentication.

Canva faced a substantial threat since it lacked multi-factor authentication. With multi-factor authentication, users are asked for more than just a password in order to get access to their accounts. Multi-factor authentication would have prevented attackers from breaking into user accounts and stealing data.

One further danger that unprotected APIs pose to businesses is their own creation. APIs provide interoperability across systems, but if they aren't adequately protected, hackers may use them to obtain private information. Canva may have prevented this vulnerability by using access restriction, encryption, and monitoring to safeguard its API.

Organizations that retain sensitive information face serious danger from insufficient data encryption. Sensitive information is vulnerable to theft if it is not encrypted. Canva could have protected user information by encrypting it using a robust technique and keeping the encryption keys secure.

Another major threat to businesses is the lack of security awareness training. Employees may unknowingly put the system in danger without the right training. Canva may have reduced its vulnerability by providing frequent security awareness training to its staff members, instructing them on topics such as recognizing and avoiding phishing emails, selecting secure passwords, and reporting suspicious behavior.

Many businesses are vulnerable to social engineering attacks, and protecting against them may be challenging. Phishing emails and other forms of social engineering are used by attackers to deceive users into disclosing personal information and login credentials[6]. Canva might have prevented this threat by providing staff with security awareness training that teaches them to recognize and counter social engineering techniques.

Canva might reduce its vulnerability by teaching its staff about social engineering as part of a more extensive security awareness program. Employees and users may benefit from this training in order to better recognize and counter social engineering attempts. Even if an attacker is successful in carrying out a social engineering assault, Canva may still incorporate technological safeguards like multi-factor authentication and access controls to prevent unauthorized access to the system.

After conducting a risk assessment, Canva's security flaws were shown to include, among other things, out-of-date software, weak passwords, a lack of multi-factor authentication, insecure APIs, inadequate data encryption, and a lack of security awareness training[4]. Canva might create a security program with both technical and non-technical measures, such as security awareness training and frequent security assessments, to reduce the severity of these threats. Canva may lessen the chances of a future data breach and its possible consequences by adopting a more all-encompassing security strategy.

RISK EVALUATIONThe risk appraisal procedure included categorizing the detected hazards according to the severity and settling on suitable remedies to the concerns. The possibility and possible effect of the data breach were both high, indicating a high-risk level. After discovering the security incident, Canva took swift action to limit access, invalidate any previously used passwords, and send emails to users whose credentials were not secured. Canva also spent a lot of money and hired a lot of smart people to win back its users' faith. After the hack, all valid login tokens were revoked, so users will need to re-establish their connections the next time they check-in. Canva has also teamed up with other companies, such as 1Password, to provide free services for limited time. Server-side encryption with AES 256 or higher and encrypted data transmission across networks with TLS 1.2 are only two examples of the extra security precautions used by Canva. The next phase in risk management is risk assessment, which follows a thorough risk analysis. Determining the total risk level and settling on a suitable risk response are necessary steps in this process.

The total risk was rated as high for the Canva data leak. Canva's security measures were determined to be weak, allowing an attacker to acquire the personal information of around 140 million users, hence it was inevitable that a breach would occur[6]. Loss of client confidence, harm to Canva's brand, and financial losses as a consequence of legal action and compensation claims were all possible outcomes of the breach.

The incident was addressed quickly and thoroughly by Canva. Passwords that were not updated were instantly disabled, and users whose passwords were not encrypted were prompted to change them. This was a necessary action for reducing the possibility of future data breaches. Canva has made significant investments in regaining its customers' confidence by teaming up with other companies like 1Password to provide their services for free during promotional times. The potential damage from the breach was mitigated thanks to these efforts.

In addition to these safeguards, Canva also uses server-side encryption with a strength of AES 256 or higher and network-side encryption with TLS 1.2 to transport sensitive data. These safeguards are in place to make it more difficult for attackers to enter the system and steal sensitive user information in the future.

The possibility of data breaches is something Canva is aware of, and thus the company has made security awareness training a priority. They thus made an effort to educate their staff on the significance of security best practices and the perils of data breaches via extensive security awareness training.

Canva's reaction to the hack was, on the whole, admirable. They moved quickly to reduce the possibility of more data breaches and invested in extra security precautions to avoid such occurrences in the future. They also understood the need for security awareness training and implemented measures to make their staff more alert to the dangers of cyberattacks.

It's vital to keep in mind, however, that data breaches are impossible to prevent. There is always the chance that a determined attacker may figure out a method to circumvent even the most stringent security measures and controls [5]. Thus, organizations must be ever-vigilant and update their security controls as necessary to ensure they are effective against emerging threats.

CONCLUSIONAs this risk assessment report comes to a close, various possible threats related to the Canva data breach in May 2019 have been discovered. Multi-factor authentication, strong data encryption, frequent security awareness training, and secure application programming interfaces are only some of the security measures that are emphasized in the research. To further reduce the likelihood of exploiting known vulnerabilities, it stresses the need of applying security patches and upgrades as soon as they become available.

Due to the high chance and possible effect of a data breach at Canva, the risk analysis process has shown the need of taking early action to mitigate the identified threats. Canva has taken several precautions to reduce the likelihood of future breaches, such as clearing all existing login tokens, upgrading its encryption, and collaborating with other businesses to provide free security services to its customers.

While there is no such thing as a completely secure system, this risk assessment report should serve as a reminder that precautions should be taken to safeguard user data. Organizations must give system security priority and put in place the necessary policies to reduce the dangers posed by vulnerabilities and attacks.

REFERENCESAlmuhammadi, S., & Alsaleh, M. (2017). Information security maturity model for NIST cyber security framework.Computer Science & Information Technology (CS & IT),7(3), 51-62.Dedeke, A. (2017). Cybersecurity framework adoption: using capability levels for implementation tiers and profiles.IEEE Security & Privacy,15(5), 47-54.

Kandasamy, K., Srinivas, S., Achuthan, K., & Rangan, V. P. (2022). Digital Healthcare-Cyberattacks in Asian Organizations: An Analysis of Vulnerabilities, Risks, NIST Perspectives, and Recommendations.IEEE Access,10, 12345-12364.Radziwill, N. M., & Benton, M. C. (2017). Cybersecurity cost of quality: Managing the costs of cybersecurity risk management.arXiv preprint arXiv:1707.02653.

Mantha, B. R., & de Soto, B. G. (2019). Cyber security challenges and vulnerability assessment in the construction industry. InCreative Construction Conference 2019(pp. 29-37). Budapest University of Technology and Economics.Khaleefah, A. D., & Al-Mashhadi, H. M. (2023). Methodologies, Requirements and Challenges of Cybersecurity Frameworks: A Review.Int. J. Wirel. Microw. Technol,13, 1-13.

Baig, Z., & Zeadally, S. (2019). Cyber-Security Risk Assessment Framework for Critical Infrastructures.Intelligent Automation & Soft Computing,25(1).

ITECH 3215: Information Security

USE CASE ANALYSIS

Arun Chacko

30375857

Detail of the attack

On the 24th of May 2019, Australian based online design company Canva came across a breach from one of its AWS servers, which they were using.

It was first detected from one of the monitoring systems about some unusual activity in one of their accounts and later an on-call engineer investigated suspicious activity coming from an IP address using certain access data and was immediately blocked out from the server.

This happened on a Friday, as the weekend was approaching. The attacker, being Gnosticplayers, stole a list of about 4 million Canva accounts containing passwords, which later was decrypted and exposed online.

The attacker had with them personal details of almost 140 million Canva users including usernames, official names, email addresses, countries, encrypted passwords, and partial payment information.

The attacker then tipped off a business news website ZDNet to report this breach to the public.

Analysis

The attacker might have done this to attract data buyers from the dark web marketplace, where they trade it with varying amounts of Bitcoin. Gnosticplayers is believed to be involved in the breach of user data from over 40 large companies and they hit a billion-user data breach during the Canva incident

Gnosticplayers have claimed to obtained OAuth login tokens for users who signs in via Google, but Canva has no proof they downloaded them and tried to access the keys.

Canva has staff taking care of its security and privacy, appointed Heads of Security, Privacy and Data, along with an information Security Committee meeting every three months to evaluate issues recorded in their risk registers.

The risk was perceived highly critical as there are a lot of things like confidentiality, authenticity, etc at stake. The attacker was stopped mid-attack. Canva immediately restricted logins, invalidated passwords that werent changed and notified users with unencrypted passwords. They notified through social media, emailed the customers directly and had a dedicated security page on their website to post updates.

The efforts over the security team increased and Canva decided to invest huge revenue and skilled personnel to rebuild the trust of its users. All active login tokens prior to the breach has been reset prompting users to reconnect their accounts when they login next.

Canva also partnered with other organisations like 1Password offering free services over certain time periods.

Further Action

Canva now has a very secure approach to handle future breaches. The servers are encrypted using AES 256 or stronger, and the data encrypted is transmitted over networks using TLS 1.2.

They also apply security patches to servers in accordance with Vulnerability Management Procedure.

They also maintain info security policy that meets with ISO 27001 standard as well as an internal audit that invigilate Canvas ISMS.

Resources

Canva Security Incident. (2020, January 17). Canva.com.https://www.canva.com/en_au/help/Canva's infosec resourcing 'still growing' two years after large data breach. (n.d.). iTnews.https://www.itnews.com.au/news/canvas-infosec-resourcing-still-growing-two-years-after-large-data-breach-569282Christou,L. (2019, June 3).Gnosticplayers: Why the hacker behind the Canva data breach boasted to the media. Verdict.https://www.verdict.co.uk/canva-data-breach-gnosticplayers/Cimpanu,C. (2019, May 24).Australian tech unicorn Canva suffers security breach. ZDNET.https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/Lukic,D. (2021, November 2).All about Canva data breach. IDStrong.https://www.idstrong.com/sentinel/canva-data-breach/