Lessons Learned from Capital One Breach From a Security Perspective
The recent Capital One breach is yet another severe cybersecurity infringement upon the citizens that utilize a primary public service like a banking institution. Unfortunately, one companies mishap can cause so many people's misfortune when it pertains to the security of their most sensitive information. All hope is not lost as there are still precautions that can be taken from an end-user perspective to safeguard and monitor your confidential information. Let us review the pitfalls of how the Capital One breach occurred, and then some steps that consumers can take to stay proactive with their data security.
What Happened to Capital One
This attack is looking like it was an inside job, as the attacker used to work for AWS and possibly had access to Capital One's IAM roles. By having some internal access, the attacker was able to gather information about a misconfigured server that otherwise would not be available to the general public. Since the attacker has persistent access, there were able to continuously rotate there AWS creds as needed without the worry of them being rotated by AWS policy. As part of this access, the attacker had read permissions set on some of the storage buckets that gave them the ability to exfiltrate any data out that they wanted. The attacker decided to encrypt and export the files containing credit card application information and then go on social media to gloat about their success (big mistake). CapitalOne, with the help of the FBI, was able to quickly isolate and remediation the misconfiguration of privileges on their server.
What can we do to be best prepared:
Some may think that this is a win scenario for how quickly CapitalOne reacted to and remediated the situation. Which in many cases it is, but unfortunately when a data breach of this size happens, the loss is uncalculated to the affected individuals who had their personal information stolen. Even credit monitoring doesn't give you peace of mind knowing that your information is floating around online, just waiting to be misused. Well, rest assured, below we have provided a list of things that you can proactively do to ensure you are "doing the right thing" when it pertains to data security.
Review Permissions Often
It may seem annoying or cumbersome, but permissions misuse is one of the leading causes of a security breach. When reviewing permissions, it is crucial to understand that people should only have the privileges needed at a minimum to perform their designed job function...nothing more. Also remember that if someone leaves a company or no longer needs an account on your system, they need to be deactivated immediately. Just as it is essential to review account permissions around IAM accounts, it is also necessary to consider security group review to ensure they are functioning as intended.
Visibility and Clean up
It is essential for any chance at quickly detecting an intrusion to have logging enabled at all times. Logs are your eyes and ears into your network and will give you the monitoring capabilities required to hunt down an intruder. Patching, patching, patching is vital. If there is a patch released for vulnerability, it needs to be prioritized and implemented as soon as possible to ensure limited exposure to the wild. Having a system go down for a couple of hours due to broken patch functionality is a much more controlled environment to work in that a security breach that could take months to resolve and result in permanent data loss.
Appropriate Tools for the Job
Having the right set of tools is essential to both reaction time and proper documentation of an incident. By not utilizing tools that are backed by a fully functioning support team or can ensure retention around important information like logging or events, you risk further expose if something were ever to happen and go public. Whether it be a proactive tool like VPN service or a reactive tool like SIEM or IDS, it is critical that you choose wisely.
Lastly, it is vital to have a proper communication channel and chain of command when it comes to both reviewing and reporting possible security incidents. The firefighting can happen within companies that cannot correctly communicate incidents to the appropriate parties that have the power to make decisions on behalf of the company's best interest.