Another one bites the dust
“Federal prosecutors charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One. FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million Americans and included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers.”
— Krebs on Security
I’m sure it will be quite some time, if ever, that we learn what really happened with this data breach. Like the thousands of data breaches before, security leaders will be answering the same question from their executive teams, “Can this happen to us?” And I’m sure most of the responses will be, “It’s not a matter of if, but when we get hacked.”
Neither side will feel any more comfortable with those responses. Since I love sports, I’ll use this analogy: Imagine a coach going into the team locker room before the game and saying, “I’ve seen the opponent and there is no way we can beat this team, so go out and try your best!” Not so sure you would get the best out of the players.
As a security person myself, I fully understand the level of effort it takes to secure an organization. It does appear sometimes that we’re not making any progress, especially considering these massive data breaches, but we are getting better. Just a few years ago, I never heard a CEO or board member tell me that cybersecurity kept them up at night. Now, I’m shocked if I don’t hear it.
Since I don’t know the details at Capital One, I am left with having to piece together how the same scenario could impact my organization. Based on the articles I’ve read, the hacker had been a systems engineer at one time with AWS (Amazon Web Services), which hosts Capital One’s data.
I’m leaning toward believing that the hacker had more knowledge about the exploit on the system and knew where the data was instead of crowning her a glorified hacker. Opportunistic is probably a better word.
It does speak to one of our greatest cyber risks — third-party or vendor risks. Many organizations, much like Capital One, are moving their data and infrastructure to the cloud to lower their costs. It makes perfect business sense, but it does not remove our accountability and responsibility to protect our customers’ data. We still have skin in the game and it’s not the third party that will suffer the reputational backlash from one of these events. Ask yourself, can my organization withstand a breach?
Another thing I’ve learned from the Capital One event is that the exploit was available through a misconfigured firewall and quite possibly that system had not been patched. Three areas that are mandatory in any organization’s information security program are change management, patch management and vulnerability management.
These are also three areas of constant change. Technology is changing all the time and with change, systems and applications need to be updated and patched. Hackers are scanning our network and systems looking for any unpatched system to exploit.
In 2017, security firm Fortinet released a Global Threat Landscape report and concluded that 90% of hacks that year could have been avoided if organizations updated and patched their systems.
Experts say on average it takes 24 hours to break into a heavy duty modern safe. But it only takes 20 minutes to break into an unpatched computer connected to the internet.
A strong vulnerability management program can be used to detect systems and applications that have not been patched. Call it a sanity check for your patch management program. New vulnerabilities and exploits are released daily so it’s important to consistently scan your environments to remediate the vulnerabilities before the hackers find them.
The Department of Homeland Security is really stepping up their game to help organizations secure their environments. Their focus is now on helping financial service organizations. They understand we are the most attacked industry and are offering many free services to help us. All we must do is ask for help.