What we should learn from the Capital One data breach
Another day, another data breach. Or so it seems. When the latest organization to suffer a big breach hits the news, it is easy to think, who is going to be next? Unlike most hacks or breaches where the public is not privy to the details of the incident, the recently reported Capital One breach is an ideal situation to learn from because much of the intrusion and exfiltration information is available in the court documents. That presents us with an opportunity to understand what happened and improve our own security operations.
The court documents detail the investigation discovered that a misconfigured firewall allowed commands to reach and be run on a Capital One server. These commands obtained the security credentials for a role providing further access to storage repositories. Using the obtained credentials, the intruder was able to enumerate over 700 S3 Buckets and ultimately copy sensitive data out of the environment.
A misconfiguration oversight is something that can easily happen at any organization. Breaches like this one are reminders the stakes are very high at all times. Due diligencemust be performed to reduce the likelihood of similar vulnerabilities being exploited in the future.
Misconfigurations are human error. Organizations need to prioritize training and education for security teams and system administrators to be adequately prepared to perform the job functions expected of them. Admins need to understand more than just what security controls and tools are in place, but why they are implemented and the reasons for existing configurations.
Managing attrition, understaffed teams and navigating skill gaps can make seemingly straightforward tasks much more difficult to perform consistently. Whether training is on the job or in a more traditional classroom setting, knowledge transfer and training should be prioritized.
Mistakes are inevitable. No one is perfect. Unfortunately, security teams have to be right all the time to effectively defend networks and a bad actor only has to find one slip-up to cause havoc with an exploit. Conducting internal periodic and recurring reviews of configurations, patch levels and security posture is an effective method to detect potential exposures before they are exploited.
Each organization should take this opportunity to see if they perform recurring reviews and implement the follow-up actions to remediate any findings in a timely manner.
Audit Logging and Monitoring
The logs captured of actions taken within the Capital One environment appear to have been comprehensive enough to reconstruct the events that took place and effectively determine how the intrusion took place. Organizations should have robust logging in place and protect those logs to maintain a strong security posture. Active monitoring and efficient investigation of audit log events facilitate quicker discovery of anomalies and help foster a culture of greater cyber resiliency.
While more than 100 million people are impacted by this Capital One breach, less than 1 percent of those people had their Social Security or bank account numbers compromised. Still, other data was stolen, such as reported income, addresses, names and other key information. As always, credit monitoring and basic cyber hygiene processes are important and should help ensure the average consumer does not have catastrophic disruption to their livelihood.
This breach will not be the last. We must be vigilant as consumers to protect our data, our identity and our credit at all times.
(This post originally appeared on the ISACA blog, which can be viewed here).