SBN

Lessons learned: The Capital One breach

Overview of the breach

The Capital One breach was accomplished by a former AWS employee who took advantage of a misconfigured firewall used by Capital One to protect their AWS deployment. This firewall was granted excessive permissions on the AWS instance (ability to read every stored file) and was vulnerable to a server-side request forgery attack. The attacker leveraged these issues to steal the data of 100 million American and 6 million Canadian customers of Capital One, including:

  • Names
  • Addresses (with postal codes)
  • Phone numbers
  • Email addresses
  • Birth dates
  • 140,000 Social Security Numbers
  • 1 million Canadian Social Insurance numbers
  • 80,000 linked bank accounts’ information
  • Status data (credit scores and limits, balances, payment history and contact information)
  • Transaction fragments from 23 days between 2016 and 2018

The attack was discovered due to the fact that the hacker bragged about her exploits against Capital One and other organizations on GitHub. An ethical hacker discovered and reported the posts, leading to rapid remediation efforts by Capital One.

Security Awareness

Lessons learned

The Capital One hack provides multiple takeaways for other organizations. In general, while Capital One made a few important mistakes that made the attack possible, how they handled the remediation process can be taken as an example to other breached organizations.

Proper configuration of security appliances

One of the greatest ironies of the Capital One breach is that it was enabled by a security appliance deployed by the company. The breach was made possible because a Web Application Firewall (WAF) was deployed to protect the organization’s cloud deployment but was not properly configured. This breach should serve as a warning of the security implications of failing to ensure that all devices within an organization’s network are both deployed and configured properly.

Principle of least privilege

One of the main configuration issues of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/KbwjaVZpqCw/