Capital One Bank announced [1] that on July 19, 2019, they determined an intrusion to their system that has affected approximately 100 million individuals in the United States and approximately 6 million in Canada. The stolen data includes “personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and income.” The details show that about 140,000 Social Security numbers and 80,000 linked bank account numbers were part of the stolen data.

A misconfigured firewall on a cloud asset

The incident hit the news quickly with swarming details considering that it is one of the major data breaches of 2019. Researchers found [2] that the suspected hacker behind the incident (an Amazon ex-employee – arrested) exploited a vulnerability of a misconfigured firewall on an Amazon AWS Bucket used by Capital One.

Capital One is one of the banks that use cloud services quite actively. In 2015, it announced that “all new company applications would run in—and all existing applications would be systematically rearchitected for—the cloud”.  They were so successful doing so that Amazon Web Services shows Capital One’s cloud operations as one of their case studies [3].

Misconfigured cloud assets are open invitations to hackers

Many companies use cloud servers to store their data. Despite their great advantage, misconfigured servers may expose sensitive data, a mistake which is an open invitation to hackers to dump and use a company’s data for their malicious activities as we have seen in this incident and this is not the first incident a misconfigured cloud asset caused a significant data breach.

3rd- and 4th-party service providers, such as cloud storage providers, improve their cyber resilience as much as possible. They publish best practices on how to use their cloud services and provide options to keep the data public or private, a feature configured by companies who accommodate cloud servers. Any misconfiguration may expose data to the public and the first ones who notice these exposed data would be hackers and hacktivists. It is no wonder that Security Misconfiguration is #6 in OWASP Top 10.

A short list of common misconfigurations

  • Use of factory default system credentials (username/passwords)
  • Directory and file listings that are not disabled and easily available through search engines
  • Some user traces may have too much information, such as pages returned to users with error messages
  • Leaving unnecessary pages, such as sample apps, old privileges, and user accounts
  • Out of date software (older versions), use of legacy systems, and patches which are not up-to-date

Simple steps to prevent misconfigured servers

  • Discover all your 3rd and 4th party service providers and cloud storage servers that your company uses.
  • Check for misconfiguration of cloud storage servers
  • Monitor cyber risk of your 3rd and 4th party providers.
  • Regularly check Intrusion Detection System (IDS) logs and consider host-based IDS rather than network-based IDS to examine events on host-level
  • Increase the cybersecurity awareness of your employees and regularly check for leaked credentials.
  • Create an agile patch management procedure.

Sources;

[1] https://www.capitalone.ca /facts2019/
[2] https://arstechnica.com/ information-technology/2019/07/feds-former-cloud-worker-hacks-into-capital-one-and-takes-data-for-106-million-people/
[3] https://aws.amazon.com/ solutions/case-studies/capital-one-enterprise/