Blog

Lessons learned from Capital One data breach

Posted on by Mehrdad JLeave a Comment on Lessons learned from Capital One data breach

Cyber Security Expert, CISSP

July 30th, 2019

As the result of this breach, over 100 million credit card applicants at risk in Capital One breach.

Let’s review three facts we are aware of:

Fact#1: The attacker, Thompson, a 33-year-old software engineer’s last listed role was with Amazon’s Simple Storage Services (S3) as a Level 4 systems engineer, a role that ended in September 2016. This could have been enabled her of becoming aware of an existing vulnerability to allegedly access information from Capital One bank through a “miss-configured” security feature on a server rented by Capital One hosted by Amazon!

More specifically, a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. This means that the intruder was able to breach the security measures put in place by Capital One and request the data stored on the servers without needing the proper “authorization”.

What can we learn from above fact?

Regular Firewall Rules review is one of the fundamental security requirements that is articulated in security standards and best practices and is required by different compliance requirements. Sounds like this fundamental security practice was not followed properly otherwise this gap could have been identified log back.
Authorization is as important as identification and authentication. In this case the authorization was not configured properly.
Either there was not a configuration checklist in place or otherwise the checklist did not include proper firewall configuration or perhaps the firewall setting was changed at a point in time without being properly reviewed through a change management system.
When it come to using cloud infrastructure, a comprehensive checklist must be followed that covers all applicable preventive and monitoring controls.
There must be a configuration standard in place. Any further changes that does not align with configuration standard must be thoroughly reviewed based on a change management process.
Fact#2: Capital One only became aware of the breach on July 19, when someone emailed the company to say Thompson had posted information about the hacked data on GitHub, which software developers use to share code. Meaning neither Capital One nor Amazon spotted the breach but someone outside the company.

What can we learn from above fact?

Not knowing what is happening underneath the application and network layers means low visibility. There are number of detective controls that can monitor data flow and determine who accessed what and when. I gather their visibility on their cloud base services was low. The outgoing traffic was not being monitored properly otherwise this anomaly could have been identified at the first place.

Fact#3: She used several methods to mask her identity and location, including a virtual private network service and the anonymous TOR browser.

What can we learn from above fact?

Systems hosting sensitive information must be very strict in their access controls. The fact that she was able to circumvent access control mechanisms based on anonymity means the access controls were weak and the fact that she was able to establish a VPN tunnel means perhaps she had elevated privilege.

Also, it means that existing monitoring and detective controls were blind to spot and report her access and her abnormal behaviour. There are variety of detective solutions that can monitor the traffic and identify anomalies. Such solutions must be configured properly to perform effectively. When it comes to utilizing cloud infrastructure (PaaS, IaaS, AaaS, etc.) strong access control mechanism, traffic monitoring controls and anomaly detection controls must be deployed to maximize the visibility as to what happens underneath the application and network layers.

While that service is used by Capital One, there is no evidence that Amazon’s cloud system was involved in the breach.

“AWS was not compromised in any way and functioned as designed,” a company spokesperson said Tuesday. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.”

About 140,000 Social Security numbers and 80,000 bank account numbers were potentially put at risk, according to a statement from the bank.

Contact me if you have any questions or need assistance to increase the security resilience of your IT and Cloud infrastructure.

Meeting report – July 2019

Posted on by Mahmood BashashLeave a Comment on Meeting report – July 2019
July meeting started at 6:00 pm as scheduled.

Mehrdad, PITON’s president, provided an introduction on PITON and its mission. He explained how PITON creates an environment in which people become empowerd by assisting each other.

As a regular practice in PITON, all the attendees are given time to introduce themselves in a professional way to stand up and be noticed.

The first presentation was performed by Fatima Omar, Leadership and Business Consultant, and the topic was “3 Steps to Success”. The three pillars of success can be summarized as “CUBS”:

Commitment: Declare your ultimate goals and remain focused on it.

Un-Learn: Find your barriers. Put aside your logical brain, listen to your curiosity and expand your abilities, move on.

Believe in yourself: Be kind to yourself

It leads to “Success”.

Second presentation was on Phishing scams that was delivered by Mehrdad.

He introduced Phishingfree.com that has a free browser add-on that can help detecting suspicious URLs. You can install it on Chrome and IE browsers for free.

This free add-on is provided by Safetoopen.com company based on Auckland, New Zealand.

Safetoopen provides phishing detection and protection solutions.

Meeting report – February 2019

Posted on by Mahmood BashashLeave a Comment on Meeting report – February 2019

We had two guest speakers:
Hard skills (technology) track guest speaker was Masih Omid who talked about micro services. Summary of key points:
Micro-service architecture characteristics

  • Componentization via Services
  • Self-contain
  • Deployable independently
  • Cloud-native
  • Organized around business capabilities
  • Smart endpoints and dumb pipes
  • Decentralized Data Management
  • Design for failure
  • Infrastructure Automation

The Soft Skill track guest speaker was Fatima Omar who talked about 3 Steps To Writing A Book:

  • What’s your why?
  • Provide a SOLUTION for your ideal client.
  • Open KDP Account, Enter Book Details and Upload your Book