What are the some of the lessons learned from the recent and unarguably massive Capital One data breach?
Data has been likened to gold and oil. Whatever analogy we give it, one thing is for sure, it is a valuable commodity.
The result of this? Data breaches are ubiquitous. One of the latest in a continuing line of breached organizations resulting in eye-watering data exposures is the financial institution Capital One.
In fact, the Capital One breach falls into the mega-breach category. Capital One, like many previous companies that have been victims of mega-breaches, are now facing a class-action lawsuit.
In this blog article, we take a look at what happened and what we can do to prevent our own organization from suffering a data breach.
In brief, here is a look at the Capital One breach facts:
The investigation into how the breach happened continues.
The most likely explanation is that the vulnerability was due to a misconfiguration of an open source Web Application Firewall (WAF). The WAF was, interestingly, hosted in Amazon’s AWS environment, a setup that Thompson would likely have been knowledgeable about.
The breach at Capital One is probably due to a combination of factors. This includes the poor application of resource access permissions, i.e. an IAM privileged account issue, as well as a misconfiguration in setting up the WAF.
Cybersecurity journalist Brian Krebs has attributed the attack to a Server Side Request Forgery (SSRF). Internet security watchdog OWASP describe an SSRF attack as a situation where “the attacker can abuse functionality on the server to read or update internal resources.”
Security misconfigurations have been behind a number of data breaches in recent years. Data breaches such as Suprema and Exactis had similar profiles. In the case of the Exactis breach, which exposed 340 million customer records, the cause was an unauthenticated database that was publicly available.
OWASP identifies security misconfiguration as a top 10 security issue. A study by Threat Stack found that 73 percent of organizations have at least one critical security misconfiguration. The top type of misconfiguration was leaving a secure shell (SSH) unprotected so anyone can remote access a server from anywhere. The other common misconfiguration being the use of first-factor only or using no authentication.
Related post: Security Challenges Facing IT Pros (and How to Overcome Them)
When securing data, we have a number of considerations. They often dovetail and are dependent on one another – miss out one area and insecurities and risk levels will intensify.
In the case of Capital One, it may be that several planets aligned to increase the probability of a breach occurring. A mix of privileged access misuse, misconfiguration of a WAF, and possibly poor security hygiene, including patch awareness, may all have contributed to the breach.
To avoid our own data breaches, we must ensure that all possible weaknesses are addressed to maintain robust security.
To avoid misconfiguration and privileged access misuse, here are some recommendations that may come in handy for you:
Related Post: 10 Best Practices for Choosing a Penetration Testing Company
A Managed Security Services Provider (MSSP) can offer you a cost-effective way to cover the areas needed to avoid a data breach. The security expertise available to organizations who make use of managed security services ensures systems are correctly set up and secured.
Related post: General Benefits of Using an MSSP
Other recommendations that should warrant consideration and that can help maintain good data governance include:
Morgan Stanley estimates that Capital One may have to pay up to $500 million in costs associated with the breach. Also, the share price of Capital One dropped around 6% after the breach.
In addition to hefty fines and shareholder price drops, companies that experience breaches involving a loss of customer data end up losing much more than just money. The loss of customer trust and, in turn, loyalty, is an intangible cost that can take years to recover from.
Data breaches have far-reaching impact and should be a priority in terms of risk-mitigation for an organization that handles data. Proper attention to the details of security is needed to ensure that preventable issues such as misconfigurations do not offer cybercriminals your customers’ data on a plate.
To learn more about 8 critical steps to improve your organization’s cybersecurity hygiene, download our free infographic: