There are many things to consider regarding the breach of Capital One servers that compromised personal information for about 100 million customers. What keeps getting missed is the fact that this was an inside threat situation. Defending against insider threats is different from defending against an external attacker.
Files containing personal information for about 100 million individuals were stolen from servers containing Capital One data, and posted on GitHub. The compromised data included personal information belonging to small businesses and consumers such as names, addresses, phone numbers, email addresses, birth date, self-reported income, and some Social Security numbers. About 80,000 linked bank account numbers of credit card customers and related credit information, such as credit scores, limits, balances, and payment history was also stolen, Capital One said.
Capital One said it was “unlikely” that the information had been previously used for fraud, or by other groups to also access the data.
The alleged thief, a former systems engineer with Amazon Web Services, (she had worked at Amazon between 2015 and 2016) had accessed the servers through a “misconfigured web application firewall” earlier this year, the Department of Justice said. She knew how to navigate the infrastructure and knew how to take advantage of the WAF misconfiguration to query and obtain the necessary credentials to access the data stored in Amazon Web Services (AWS) Simple Storage Service (S3) buckets. This wasn’t a case of an S3 bucket inadvertently exposed to anyone on the Internet, but rather an insider threat incident.
There is a lot of focus on outsiders breaking in, but an insider threat where the attacker knows how the systems work, how customers maintain and access their data in the cloud, and how to navigate the infrastructure pose a different type of security challenge for defenders. As this incident shows, insider threats are not limited to just employees or ex-employees, but also includes third-party providers such as public cloud infrastructure companies and software-as-a-service vendors.
Insider threats “are the most dangerous and unpredictable threat vector,” said Michael Clauser, global head of data and trust at Access Partnership.
While it’s unlikely there was a weakness in AWS, it’s not clear whether the engineer merely exploited a weakness in the WAF that was exposed by the misconfiguration, or if the engineer had somehow retained access to AWS to still be able to connect to the Capital One servers more than three years after she left the company.
“Nearly all breaches where AWS is involved is a result of human error or intent, rather than a technical exploit,” said Leo Taddeo, CISO of Cyxtera and former head of special operations in the FBI’s New York office.
Insider threats are particularly difficult because the person has more access than someone from outside the network. Even if someone outside the organization manages to obtain privileged credentials, that person still has to figure out how to get around the network to get the data. For an insider, that knowledge is already there.
A good example is encryption. Capital One encrypts data as a standard, but because the breach was performed by an insider, the insider was able to get to the decrypted data. Data can be encrypted at rest, but the second it is being used, such as through an application, that data becomes decrypted. Or if the insider has privileged access to view everything—systems administrators are powerful figures in the network—then getting the data decrypted is not difficult.
Capital One did not just rely on encryption, however. The company tokenizes certain data fields—especially Social Security numbers and account numbers—so tokenized data remained protected.
“At last, tokenization is deployed, doing what it is supposed to do,” said Colin Bastable, CEO of Lucy Security. “Good job, Capital One, more please!”
Many organizations are rolling out “zero day start processes” to ensure that the new employee has all the equipment and all the credentials for corporate services. There isn’t always an equivalent process to remove access and credentials, and that may have been what tripped up Capital One.
“How about they also have a zero-day stop, too?” said Laurence Pitt, global security strategy director at Juniper Networks.
A final thing to note about the breach: There’s still a lot left for Capital One to figure out during the course of the investigation. When there are different teams involved—legal, forensics, incident response, public relations, and others—coordination is key. There is already a lot of confusion because Capital One offered contradictory information—no Social Security numbers were impacted, or 14,000 were exposed?—and that is likely because each group is working on their part of the incident and it is hard to coordinate all the different pieces. While there needs to be a consistent message, it’s also worth remembering that a evolving story means there is a lot that needs to be figured out still. All the answers aren’t there yet.
“Having peeled back the layers on multiple large scale breaches like Capital One's, there's no doubt that enterprise security remains a complicated, massive undertaking,” Taddeo said.
The state of New York has opened an investigation into the breach, which resulted in the theft of personal information of about 100 million consumers, Attorney General Letitia James said.
“We cannot allow hacks of this nature to become every day occurrences,” James said. “It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?”