Time to Think Beyond Access: 3 Lessons from Capital One Data Breach

On July 19, 2019, Capital One determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers. That week the internet was abuzz with the information related to Capital One Data Breach. Around 30 GB of data was breached. It is estimated to consist of around 140,000 social security numbers (SSN); 80,000 bank account numbers of US consumers and around 1 million social insurance numbers (SIN) for Canadian credit card consumers.

TL; DR

As per the information published and inferred by a number of news outlets, the attacker was able to exploit a misconfiguration in Web Application Firewall (WAF) which allowed the attacker to assume the role of the WAF in order to list as well as copy the contents of AWS S3 buckets.

3 LESSONS FROM THIS BREACH

  1. AWS S3 bucket in this breach was not publicly exposed. So, contrary to popular belief, a major data breach is not limited to AWS S3 buckets that are misconfigured and publicly exposed. Think beyond security tools that are doing configuration checks.
  2. The data was exfiltrated in this breach using the Sync Command that internally uses APIs. Modern Internet applications are driven by APIs and as seen in this breach today’s Web Application Firewall (WAF) is not the best tool for securing APIs. Think beyond authentication & authorization as today’s threats are ONLY about Data.
  3. This data breach was reported to Capital One via their responsible disclosure email. Capital One did not have the right set of tools to provide visibility and discovery. Think beyond reactive response and look towards the right set of tools that provide visibility and discovery which will lead to a better understanding of your Data movement.

LEARN MORE

Check out this 44 seconds video about the data breach and how CloudVector can protect your data.

 

Check out our detailed 6 minutes video demonstrating CloudVector capabilities to detect and prevent un-authorized AWS S3 downloads

 

Traditionally and even today, a number of us tie Security to Access Control. Access control is needed but this breach is a great example to think beyond and to look at Data and the interface to that data i.e. APIs as a means to secure the Data. Please comment below and let me know what you think. Also, please follow me on Twitter @ravi_balupari and let’s talk some more.