What Capital One’s cybersecurity team did (and did not) get right
There was no months-old, unpatched Apache flaw. A S3 bucket wasn’t publicly accessible to anyone with an internet connection. There was no effort to hide what happened behind the company’s bug bounty program.
When taken at face value, the Capital One breach looks awfully similar to other massive security failures that have made national news in the past few years. But while people fixate on the amount of information taken, there are some in cybersecurity circles that see a silver lining in the way the bank has handled the incident.
Multiple security experts told CyberScoop that while the incident is clearly severe and there are still questions that need to be answered, actions taken by the Virginia-based bank — which did not respond to CyberScoop’s request for comment — prevented this breach from becoming another example of extreme corporate cybersecurity negligence.
“While it’s tempting to knock Capital One for this breach, there’s a lot they got right,” said Mark Orlando, the chief technology officer for cyber protection solutions at Raytheon.
‘Light Speed’ Recognition
According to the FBI complaint, a lone infiltrator, Paige Thompson, allegedly was able to pull gigabytes of personal information from Capital One in March after taking advantage of a misconfigured firewall in the bank’s cloud computing system. Through a set of commands, Thompson was able to manipulate the credentials of various employee accounts, the FBI said, granting her the ability to take a staggering amount of personally identifiable information (PII).
Once Thompson posted about her actions on GitHub, someone alerted Capital One through their vulnerability disclosure email. From there, the company looped in law enforcement, which arrested Thompson nearly two weeks later.
Given that the average time for a breach to be discovered hovers around 297 days, the short timeline associated with the incident shows that Capital One knows the measures it must take when a breach does come to light.
“The arrest was made a mere 12 days after the initial vulnerability report, which is light speed in the industry,” Orlando told CyberScoop.
Furthermore, the fact that Capital One even has a contact for vulnerability disclosures puts it ahead of most of its peers. According to a 2018 report from HackerOne, a San Francisco-based bug bounty platform management company, 93 percent of companies in the Forbes Global 2000 list don’t have a vulnerability disclosure policy. The numbers among financial service companies measured in the report mirror the overall findings.
“The financial service and insurance industry’s coverage is nearly identical to that of the broader Global 2000, with approximately 93 percent of organizations … lacking a public [vulnerability disclosure policy],” the report states. “While leaders like American Express, Citigroup, JPMorgan Chase, ING, and TD Ameritrade have public [policies], nearly every other financial service and insurance organization on the list does not.”
Katie Moussouris, vulnerability disclosure expert and founder of Luta Security, told CyberScoop that Capital One’s actions are in line what a company should do when tipped off via its disclosure contact.
“It’s good that they had a vulnerability disclosure program for people to report issues,” Moussouris said. “What would be better is if they updated their internal processes to ensure misconfigured, improperly secured data were not stored in Amazon S3 buckets.”
About those S3 buckets …
Capital One is no different than any company that wants to embrace cloud computing to further its business. As more companies find that the cloud is good for business, more of that business is pushed onto the cloud.
Yet one of the lingering questions is why the bank was storing so much sensitive information — the data contained PII from credit card applications dating back to 2005 — in what is considered a pretty basic feature of Amazon’s cloud offerings.
“Why would Capital One store all that data in a public S3 bucket in the first place?,” said John Bambenek, vice president for Security Research and Intelligence at ThreatSTOP, a California-based network security company. “It’s like storing homemade sex tapes on Facebook and thinking that marking the profile ‘Private’ would protect them.”
“Public cloud has the word ‘public’ in it,” Dmitry Dain, founder of Manassas, Virginia-based application security company Virgil Security, told CyberScoop. “If it’s public, it’s accessible.”
Companies with a large IT footprint like Capital One are realizing that as they move to the cloud, their IT teams are stuck with trying to mix security with inventory management. Ideally a company like Capital One should be fully aware of every piece of data, but in reality, the best companies never reach that mark.
Amazon did not respond to requests for comment.
“With most companies, if you’re be able to manage 90 percent of what you have [on your network], you’re pretty sophisticated,” said Rob Fry, chief technology officer at Jask, an Austin-based security automation company. “Even if you could say you have 50,000 nodes inside AWS, and you are [monitoring] at 99 percent — which is unheard of — you still have a thousand things out there that might slip through the cracks.”
So when Capital One deploys what Dain calls “post-compromise protections,” such as the tokenization of Social Security and bank account numbers, it demonstrates that the company understands it might not be able to watch every piece of data that sits in its cloud.
“You have to understand that given the sheer size, given the amount of endpoints [Capital One] has to protect, at some point, this type of event is going to happen,” he said.
But Dain also wondered why that type of protection wasn’t used on all the data that was taken by Thompson.
“I think Capital One has to be given credit for protecting Social Security information, but they have to be held to a higher standard on the rest of the information,” he told CyberScoop. “They certainly have the technical wherewithal to be able to do it for more than just Social Security numbers.”
Identity management is hard
The way in which Thompson exploited the company’s cloud instances demonstrated a deep understanding of how AWS handles identity and access management (IAM). Once a systems engineer for Amazon, Thompson had knowledge that few possess on a very complicated process for companies of any size.
Corralling and keeping all identity and access management rules secure has been one of the biggest challenges for security teams at any large organization. The more company assets that get integrated into the cloud, the larger the list of rules that dictate who gets access grows, snowballing into an issue that even the best systems administrators will slip up with now and again.
“This is very hard to get right,” said a senior cloud security engineer who spoke to CyberScoop on the condition of anonymity. “Sometimes, the rules for these things span into six, eight pages of dense JSON text. You can’t just point to a folder and say ‘Administrators can read this, analysts can read that,’ It doesn’t work like that. It’s all these weird inherited side effects. It’s not that obvious at all.”
Amazon even offers tools that allow IT shops to test and troubleshoot IAM and resource-based policies, and audit guidelines that are set up inside already existing cloud instances.
It’s obvious that Capital One clearly had some issues with the way it set up rules regarding access to their infrastructure. But having a former AWS systems engineer figure out a way to exploit IAM rules is far cry from the hundreds of times organizations all over the world leave information stored in Amazon’s cloud for any amateur hacker to find.
Recency Bias
Even with all of the steps Capital One took to prevent this breach from being a cataclysmic disaster, the overall public sentiment around breaches is a mix of fatigue and disgust. The Equifax breach is still causing headaches, years after being discovered.
Even with the efforts Capital One has put forth, two class-action lawsuits have been filed and New York’s attorney general has pledged to open an investigation into the breach.
So as the legal process runs its course, the cybersecurity community will continue to wonder what more Capital One could have done to avoid the breach. But Dain told CyberScoop that any large organization — whether it’s an international bank, a global manufacturing conglomerate or the U.S. government — can assume that it has a target on its back.
“No one is immune from the kind of attack that has happened,” Dain told CyberScoop. “As an organization, you’re going to go to extreme lengths to protect information. But, you are going to get hacked. So what happens when you do?”