The security world is always changing and the latest news is the Capital One data breach affecting the personal information of over 100M customers. Recently, the world learned about the indictment of Paige Thompson, resulting from alleged activities where she was able to break into and obtain large caches of data from servers operated by the financial giant.
As the story unfolded in the media, there was a lot of conflicting information published about how the incident developed. With questions around the security of cloud computing in general and speculation about firewall misconfigurations, there are still very few technical details available to the public currently.
While the focus was initially on Capital One, investigations are now being undertaken by numerous other organizations following evidence of data exfiltration. Filenames and other elements have surfaced, suggesting that the hacker’s activities may not have been solely focused on a single, individual organization.
At this point, it is well known that an individual named Paige Thompson was indicted by the FBI on a single count of computer fraud and abuse. The charges accuse Ms Thompson of intentionally accessing a computer belonging to Capital One without authorization and obtaining data belonging to the financial organization.
The March 2019 attack, which Thompson is allegedly responsible for, appears to have exploited a weakness within the firewall configuration — issuing various commands to access and obtain data belonging to Capital One. Based on the details listed in the FBI document, information, including names, addresses, and other personal identifiable information, appears to have been copied and archived.
Capital One was alerted to the breach by an email tip from an unknown source. The email pointed technicians within the organization to information which had been placed on the Github Gist service, a popular platform for sharing technical code and other information.
The complaint highlights some other technical details, such as the use of service accounts and roles, but beyond these, information as to how the attack was performed is lacking and left only to speculation. One thing that can be assumed is that Capital One was using Amazon Web Services as the email mentions “s3 data”, possibly referencing data which was stored within Amazon S3 — the cloud service provider’s Simple Storage product.
Poor web application firewall configuration
From the few details in the indictment, it is safe to assume that the use of the term firewall, refers to a web application firewall (WAF). Web application firewalls, similar to traditional network firewalls, are designed to filter traffic by blocking requests that have malicious intent. Web application firewalls are commonly used to prevent attacks, such as SQL injection, cross-site-scripting, and local file inclusion.
As part of the Amazon service catalog, customers can use a product called AWS-WAF — Amazon’s WAF offering. WAFs, in general, require regular maintenance and updates, as unlike a network firewall which simply allows or denies traffic on certain ports, WAFs inspect traffic for anomalies. Since attack methods are constantly changing, WAF rules must be updated in order to keep up with the evolving attack landscape.
Looking at the information available, it is possible that a server-side forgery attack (SSRF) was performed to gain access to credentials which could then be utilized to issue service-management commands. Generally speaking, SSRF attacks are commonly blocked by well-configured WAFs, but a mismanaged rule base or missed configuration option could potentially leave avenues open to abuse.
Capital One, in their statement, make note that they have fixed the issue, although they do not go into any specific technical details.
Cloud computing security concerns
When it comes to the security of cloud service providers, it is important to realize that they are, in essence, no different than traditional data centers. While cloud providers offer benefits, such as elastic scale, ease of deployment, and operational-based expenditure, they still allow customers to host their solutions in any way they desire — in other words, customers still need to manage their own security.
Organizations who are used to appliance-based web security often overlook the importance of replicating the same security measures in a cloud-hosted environment. It’s easy to make the mistake of forgetting that constant configuration management may still be required.
In this particular case, it appears that Capital One may have made use of Amazon’s WAF, which enables customers to configure their own rules or obtain defined configurations from a marketplace. This highlights the need for organizations to truly think about security – and the security technologies they utilize.
If Capital One opted to manage their own WAF rule base without any external input, it is possible that due to other priorities, something was simply missed. Amazon’s WAF is a security product like any other, and it is down to the customer to ensure the product is configured effectively.
What can you learn from this breach?
The key takeaway that should be gained from the Capital One incident is the need for security layers. Myself, along with many other security professionals, frequently discuss the concept of layered security — using various solutions or technologies to provide a layered approach.
While Capital One’s security team may be well versed in configuring a WAF, it is more than likely that this is only one area of many, which they oversee, leading to errors or tasks getting missed. WAF security is an important layer of any security strategy and should be leveraged. But it is just that — one layer — and a layer that requires staying vigilant in order to maintain an adequate security configuration.
The other lesson is that while utilizing cloud service providers has massive benefits, they need focus and attention like any other environment, especially around security. It is extremely difficult to make use of traditional appliance-based security products within cloud environments as most providers do not allow the installation of customer-owned equipment. But with all of the traditional capabilities and more being available as cloud-delivered alternatives, businesses can still get the same level of protection, if not better, from security service providers.
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Jon Wallace. Read the original post at: https://www.instart.com/blog/what-business-learn-from-capital-one-breach