A Case for Cloud Security: Capital One Breach

Capital One filled the headlines as an estimated 106 million credit card customers and applicants woke up to news that their personal data had been accessed by an outside attacker. Among this data, a reported 140,000 Social Security numbers and 80,000 bank account numbers, as well as details such as customers’ credit scores, payment histories, credit limits, contact info, and self-reported incomes were made vulnerable. We asked Accudata’s experts for their insights on this matter.

shutterstock_457038097

What could a bad actor do with this information?

There are a number of things a bad actor can do with information that sensitive. Sometimes that information can be traded on criminal forums and used for nefarious purposes. Credit card data and other sensitive personal information is often sold in bulk to non-technical criminals who use it to commit their various crimes, from using the cards to producing fake identities.

-Dave Collins, Consultant – Risk and Compliance

An attacker has plenty of options with this type and volume of compromised information. Without getting into details of how an attack would work, an attacker could engage in various types of identity theft, social engineering (email and phone phishing), and extortion against individuals or companies. This data can even also be correlated with other prior breaches and data dumps to further an attack.

-Anton Abaya, Principal Consultant – Risk and Compliance

Malicious actors are limited only by their imagination and their motivation for action. In this case, the stolen information appears to have been leverage to embarrass the organizations involved in the breach. When the smear campaign didn't work, the attacker pivoted and decided to resell the illegally obtained data. What's truly interesting about this case is that it's more of an insider attack. The attacker leveraged privileged access to obtain data from a public key/value store that was reasonably secured. Insider knowledge and privileged access must be considerations for public cloud architectures.

-Charles Johnson, Practice Manager – Cybersecurity

Capital One was known to use Amazon’s cloud service, AWS, for data storage, even providing featured speakers, who acted as cheerleaders for the service, to the tech company’s major conferences. However, it has been widely reported that this breach was due to a cloud misconfiguration.

shutterstock_149923409

What can cause a cloud misconfiguration?

The most common cause of public cloud misconfigurations is the failure to follow best practices as defined by the public cloud providers when migrating applications and services. There are a wealth of resources documenting best practices on a myriad of public cloud blueprints and architectures. Problems arise when the unique architecture of existing applications and systems don't quite fit within the best-practice guidelines. Experts are required here to ensure applications and data migrate to the public cloud securely.

-Charles Johnson, Practice Manager – Cybersecurity

It is commonly assumed that the cloud is secure because the cloud computing vendor is securing it for you. While that is true to some extent, the reality is that the tenant always has its own security responsibilities, and those responsibilities can also vary quite a bit among the cloud hosting vendors and services being used. On our cloud security assessments, we often see cloud misconfigurations stemming from both accidental and intentional decisions made by the tenant IT custodians who are responsible for securing their tenant environment. These individuals are often rushing to deploy or migrate a new application to the cloud, not well-versed in security concepts, not aware of their security obligations as a tenant, or may even intentionally weaken security controls out of convenience. While the cloud computing vendors are getting better at alerting their tenants of security holes, these self-assessment tools are still maturing, and in some cases, tenant IT custodians are also ignoring or skipping them.

-Anton Abaya, Principal Consultant – Risk and Compliance

The accused hacker, a former AWS employee, allegedly accessed the bank’s data through a misconfigured firewall. The attack was discovered after a routine ethical hacking procedure uncovered the breach and alerted Capital One of the severity of the breach.

shutterstock_1466279360

What additional steps do you believe could have been made to avoid this?

It is difficult to know the full technical details of what transpired during this specific compromise, but based on what has been detailed in the court documents, a few things could have potentially thwarted the attack:

    • Applying the principle of least privilege in the cloud environment for accounts belonging to users and service accounts
    • Creating automated security alerts to detect suspicious behaviors from a service account
    • Regular security review of identities, accounts, roles, or credentials that are privileged or have read access to sensitive data
    • Field-level data encryption of sensitive data stored

-Anton Abaya, Principal Consultant – Risk and Compliance

With open S3 buckets, you just need to be paying attention. In the AWS S3 dashboard, any open buckets are very easy to see at a glance. There are open-source utilities that will search your GitHub repositories for any API keys or sensitive information.

-Dave Collins, Consultant – Risk and Compliance

With the information available to the public thus far, it appears the encryption of data at rest, data classification schemes, and restricted access to data are controls that would have limited the ability for even an inside attacker to have access to the data released to the public. It's important to note that each of these controls is available to public cloud subscribers as part of a best-practice strategy. A consortium that trusts its members would have been able to alert each other of the threat. That's key as it appears multiple organizations may have similar concerns from the same attacker.

-Charles Johnson, Practice Manager – Cybersecurity

It is important to note that Capital One’s data was not accessed through a vulnerability in its AWS systems. This specific attack was due to a poorly configured firewall potentially made vulnerable by failing to deploy the security technology effectively.

How can a company ensure effective deployment of security systems?

One of the worst cloud misconfiguration issues is making private storage containers public. While there are usually warnings that you are potentially exposing sensitive data, leaving AWS S3 buckets open to the internet is still a problem today. Exposing sensitive data like API keys in public repositories is another configuration problem that is getting more attention.

-Dave Collins, Consultant – Risk and Compliance

Simplistically said, organizations must have a comprehensive and layered approach to security, risk, and governance. When an organization understands where risk lies, it can appropriately manage, budget, and prioritize its limited security resources toward those critical areas that are of most interest to attackers. With a layered approach to security, security controls work together to prevent, detect, or respond to threats that occur, and no single security control failure can lead to a catastrophic event.

-Anton Abaya, Principal Consultant – Risk and Compliance

The effective deployment of any cybersecurity control begins with the regular review or audit of not only the controls in place but the code and data you are working to protect. Identify gaps during this review and close them appropriately. Keep in mind that it's far more challenging to protect against the abuse of a trusted entity. Controls should protect against the worst-case scenario, and risks should be accepted only when there are no feasible means for limitation.

-Charles Johnson, Practice Manager – Cybersecurity

This attack came to light on the cusp of Equifax’s data breach settlement, where the consumer reporting agency was ordered to pay at least $575 to $700 million to compensate those affected. Capital One is expected to take a loss of approximately $100 to $150 million, although the bank’s reputation and consumer trust may take the bigger hit in this case.

shutterstock_722953993

Cyber-criminals are advancing their knowledge and skills just as quickly as technology is evolving. No matter how secure you think you may be, these bad actors are working hard to prove you wrong, sometimes hoping for a big payout. However, there are practices that can help ensure your network is prepared to take on any outside force. Here are our recommendations:

Have a third party audit your systems because sometimes having a fresh set of eyes can help you discover issues you cannot find yourself. Vulnerability assessments and penetration testing engagements by third parties are a great way to validate if security controls are deployed correctly. Additionally, there may be other issues that a vulnerability assessment or penetration test might uncover that will further increase your overall security posture.

-Dave Collins, Consultant – Risk and Compliance

Cloud security, risk, and penetration testing assessments all help to uncover misconfigurations in the cloud. Targeting cloud applications and systems that are of high value to attackers with these kinds of assessments will help reduce risk.

-Anton Abaya, Principal Consultant – Risk and Compliance

Pay attention to breach notifications. In this case, the attacker detailed the vulnerabilities and the methods leveraged in the execution of this hack. Play that back in your environment with a penetration test, limiting the scope to just this attack. You may also consider a table-top exercise that logically works through this attacker's playbook. This exercise allows analysts and administrators to review weak points in the cyber defense strategy without putting stress on supporting teams.

-Charles Johnson, Practice Manager – Cybersecurity


Accudata Systems has the expertise and experience to audit configurations in data centers, public clouds, and hybrid environments, and we can also deliver secure designs and transition strategies that limit the impact of an attacker. Let us know how we can help.

 

By Jeremy Niederheiser, Communications Specialist

Charles Johnson, Practice Manager – Cybersecurity

Anton Abaya, Principal Consultant – Risk and Compliance

Dave Collins, Consultant – Risk and Compliance

Accudata is ready to help your organization secure, modernize, and grow through the use of leading-edge technology solutions. Contact our team to start today!

LEARN MORE