Written by Mike Parsons, CISSP, PCIP, IAM, IEM, HIPAA Certified, Techgardens Senior Security Engineer and Chris Poer, Director of Cloud & Security Services
Capital One reported a data breach impacting roughly 100 million US and 6 million Canada credit card applicants. Court documents reveal the breach was done by US-based, ex-AWS engineer that posted her work on social networks and uploaded the stolen data to GitHub. Here are a few highlights from Capital One’s press release:
- On July 19, 2019, Capital One determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019. Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.
- Capital One has a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.
- Capital One believes that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment. Among other things, we also augmented our routine automated scanning to look for this issue on a continuous basis.
- The FBI has arrested the person responsible and that person is in custody. Based on Capital One’s analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.
- Capital One encrypts their data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data. However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected.
- This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments. The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.
- The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
- The individual also obtained portions of credit card customer data, including credit scores, credit limits, balances, payment history, contact information Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. No bank account numbers or Social Security numbers were compromised, other than about 140,000 Social Security numbers of our credit card customers, about 80,000 linked bank account numbers of our secured credit card customers. For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
- Safeguarding our customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.
- Capital One expects the incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support.
- For years Capital One has invested heavily in cybersecurity and we will continue to do so. Beyond the adjusting item in 2019, we expect any incremental investments in cybersecurity to be funded within our current budget.
- Capital One carries insurance to cover certain costs associated with a cyber risk event. This insurance is subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million. The timing of recognition of costs may differ from the timing of recognition of any insurance reimbursement.
Exactly what happened has not be revealed so it would be foolish to speculate too far beyond the public information available. At a high level the hacker was able to find a misconfigured AWS WAF. A firewall was involved, but we don’t know who had administrative authority at this point to gain access to an IAM role enabling them to get read access to S3 buckets that contained both encrypted and non-encrypted data which they were able to extract from AWS. Once notified by an outsider, Capital One was able to quickly identify the source of the penetration and rectify the problem. The hacker was able to find a misconfigured WAF within Capital One’s AWS deployment, gain access to an IAM role enabling them to get read access to S3 buckets that contained both encrypted and non-encrypted data contained in 700 folders from which they were able to extract from AWS.
In carpentry, we say measure twice, cut once. In Cybersecurity we effect the same result when we plan our policies, do a table top simulation of what will happen, and then if resources permit, take it before our peers to vet our plan. Sounds like change control, doesn’t it. The fail safe is immediate testing at time of implementation and back the changes out if things don’t work as expected.
No single point solution can cover 100% of the risk, and so we layer our defenses so that the attacker must overcome many defense mechanisms to reach the target. Each additional layer backs up the previous one and raises the statistical bar for success. While we don’t know whether Capital One employed additional mechanisms inside the WAF like network segmentation, we have a hint that they were not adequate since the breach led to a compromise of two sets of data. This is important since GDPR is much more specific than American standards about the controls that need to be in place to protect individual data, and we have definitely learned that both American data and Canadian data were compromised. The segmentation that should have been in place inside the network to separate the two security zones is an example of adding additional layers. Web Application Firewalls control access to the application and most do little to address the question of keeping data requiring different degrees of protection from one another.
Encryption is also another defensive layer. The principle is simple. If you steal the data and it’s encrypted with sufficiently strong key material, you will not be able to profit from it in your lifetime. All you end up with is bragging rights to say you penetrated the defensive controls put in place by firewalls and access control lists. In this case, Capital One appeared to practice legalism by encrypting only the bare minimum explicitly required by law. While that was somewhat acceptable in years past, today’s software and storage technology and processing speeds should make it an easy call on the part of business to encrypt nearly everything.
We can only speculate whether Capital One performed adequate penetration testing. Mistakes happen, and it could have been much much worse, but this penetration should not have gone unnoticed for 3 months nor should it have resulted in the loss of any customer data. Moreover, penetration testing is only one facet of a successful vulnerability management program. It is a snapshot of time and loses validity rapidly as configurations are changed and devices and applications introduced without having an additional test. The more useful approach is to have a vulnerability management program that features regular deep scanning of all information assets to monitor conformance with organizational policies, regulatory requirements and best practices, ensures that software and firmware releases from manufacturers are applied as soon as practical after their release, continually monitors inbound and outbound traffic on all channels and conducts penetration tests whenever a significant change occurs in the technology environment. In this latter case, a penetration test could target an entire environment, a single segment(s) or specific component(s).
Speaking of AWS, this breach highlights the down side of using their service. As long as their tools work as intended, which they seem to have done in this case, 100% of the security is the client’s responsibility. AWS is very clear on their website, “As a customer, you maintain full control of your content and responsibility for configuring access to AWS services and resources,”. After reading Brian Krebs blog and the evidence he presented it looks like the hacker had established an MO of going after Amazon firewalls and using what had been learned during an earlier tenure at Amazon. Capital One apparently suffered because of an error on the part of its firewall administrator that the hacker was able to leverage because of inside knowledge.
Techgardens is a trusted partner of Forcepoint and Forcepoint offers its next generation firewall through the AWS marketplace so it is fully vetted to be deployed in AWS and reduce the threat of these types of events. As an NGFW, Forcepoint offers both application awareness similar to a Web Application Firewall as well as having the ability to create different security zones through segmentation to separate data repositories with different security requirements.
Techgardens can work with customers to develop an integrated, comprehensive approach that severely restricts the fraudster’s ability to profit from these attacks through the integration of such tools as user behavioral analysis, insider threat management, Security Incident and Event Management systems, next generation firewalls, and network access control solutions to restrict direct access as well as lateral movement within the organization’s network.
Techgardens is a leading systems integrator founded in 2009 and based in NYC. We build customized IT solutions that meet the unique needs of our customers; exceeding their expectations. Techgardens is more than an IT consulting firm. We select the best technology to appropriately match IT solutions that provide efficiency and return on investment.
Techgardens is a leading integrator and authorized reseller of many widely recognized vendor products with over a decade of experience deploying their products. We understand the technology, the products and how they are used today. We will help you design your solution holistically, based on your specific needs taking into consideration your applications, IT requirements, performance requirements and budget.
Our technical team has over 50 years of combined experience working in the financial, healthcare, government, retail and other verticals. We are staffed with CISSPs, Network Engineers and Systems Administrators with offices in New York, Maryland, Pennsylvania and North Carolina.