Like the sun rising in the east – another day, another data breach. Or so it seems from the news headlines. When the latest big breach makes news, it is easy to think, what enterprise is going to be the next to be hit?
In most cases, the public is not privy to the details of each incident. However, the recent Capital One breach is an ideal case study to learn from because so much of the intrusion and exfiltration information is publicly available in court documents. This offers a unique opportunity to understand what happened and improve our own security operations.
The court documents show that the after-incident investigation discovered a misconfigured firewall allowing commands to reach and be run on a Capital One server. These commands obtained the security credentials for a role providing further access to storage repositories. Ultimately, the intruder was able to enumerate over 700 S3 Buckets and ultimately copy sensitive data out of the environment.
A misconfiguration oversight can easily happen at any organization. Breaches like this one remind security professionals that the stakes are very high at all times. Due diligence must be performed to reduce the likelihood of similar vulnerabilities being exploited in the future.
Training
Misconfigurations are caused by human error. Therefore, organizations need to prioritize training and education for security teams and system administrators so they are adequately prepared to perform the job functions expected of them. Admins need to understand more than just what security controls and tools are in place, but why they are implemented and the reasons for existing configurations. Managing attrition, understaffed teams and navigating skill gaps can make seemingly straightforward tasks much more difficult to perform consistently. Whether training is on the job or in a more traditional classroom setting, knowledge transfer and training should be prioritized.
Periodic Reviews
Mistakes are inevitable – no one is perfect. Unfortunately, security teams have to be right all the time to effectively defend networks and a bad actor only has to find one slip-up to cause havoc with an exploit. Conducting internal periodic and recurring reviews of configurations, patch levels and security posture is an effective method to detect potential exposures before they are exploited. Each organization should assess if it is performing recurring reviews and implementing the follow-up actions to remediate any findings in a timely manner.
Audit Logging and Monitoring
The logs of actions taken within the Capital One environment appear to have been comprehensive enough to reconstruct the events that took place and effectively determine how the intrusion occurred. Enterprises should have robust logging in place and protect those logs to maintain a strong security posture. Active monitoring and efficient investigation of audit log events facilitate quicker discovery of anomalies and help foster a culture of greater cyber-resiliency.
Consumer Protections
While more than 100 million people are impacted by this Capital One breach, less than 1 percent of those people had their Social Security or bank account numbers compromised. Still, other data was stolen, such as reported income, addresses, names and other key information. As always, credit monitoring and basic cyber-hygiene processes are important and should help ensure the average consumer does not have catastrophic disruption to their livelihood.
This breach will not be the last one. We must be vigilant as consumers to protect our data, our identity and our credit at all times.