<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=522217871302542&amp;ev=PageView&amp;noscript=1">

When a ‘Good’ Plan Isn’t Good Enough: Capital One is Data Security’s Latest Victim

Posted by Brett Scott on Aug 7, 2019 3:39:47 PM

“What’s in your wallet…?” Now we all know, thanks to Capital One’s data breach of 106 million customers. So why didn’t Capital One ensure its own cybersecurity?

The Perfect Storm:  Dynamic Industry, Low Rewards and Limited SkillsMost organizations cannot keep up with technology’s ever -and rapid- changing landscape. Today, there is too much change, insufficient talent, and not enough time allocated to doing things properly. Sadly, problems are woefully understated as many serving in technology roles lack the required competencies to ensure business cybersecurity is conducted effectively. 

Top cybersecurity talent is missed because compensation ranges are not aligned with the value of the skill sets required. Exacerbating the issue are hiring teams and managers untrained in what to look for, and an internal hierarchy skilled in protecting the status quo. Sadly, as a cybersecurity professional who has been involved in the industry for over 20 years, this is our current state of affairs.

Businesses today -especially financial institutions- should view cybersecurity as their highest priority and greatest legal, moral, and fiduciary responsibility. Those in roles involving sensitive information – personal, financial, competitive- who see it as anything less, should opt out and seek a position that requires little and affects few. And for the record, simple credit monitoring is not enough.

It Takes More Than Infrastructure

Capital One, a vocal proponent of the cloud, was considered among the most cloud forward companies in the world, and I have no doubt that it takes cybersecurity seriously. I’m certain they had proper security procedures and protocols in place for installing and managing their infrastructure. So then, what happened?

Their cybersecurity failure resulted in a massive breach and the loss of more than 140,000 social security numbers. Worse is they did not tokenize the Canadian social insurance numbers so Canadians are more adversely affected.

We now know the problem was caused by a misconfiguration. This is responsible for a significant percentage of breaches. Humans make mistakes and so do “AI” systems – all the time. When configuring a cloud-based system, not only do you not have full control of your environment, but you may not be aware of some important factors:

  1. Misconfiguration in the cloud is very easy to do. The design of the cloud provisioning systems is all about speed and convenience.
  2. Cloud systems are inherently not secure, as cybersecurity is antithetical to the fundamental strategies of businesses moving to the cloud (on-premise infrastructure, etc.)
  3. Monitoring cybersecurity in the cloud is a challenge and most organizations have no plan/structure/run book for cloud cybersecurity as part of their daily practices.

Regardless of increased cybersecurity concerns, cloud systems are not going away. Organizations need to formulate an integrated cybersecurity plan, implement the technologies necessary and maintain visibility.

But is a “good plan” enough?

The simple answer is no. “No plan survives first contact with the enemy.” Processes need to be added.

Garbage in, Garbage out

One of the dirty/insider secrets of cybersecurity is that a large percentage of devices and software is misconfigured. What’s worse is that often security technologies give no indication they are misconfigured. In the very worst of cases, they (falsely) report they have done something when, in fact, they have not. It is a mess.

The solution is not magic. The answer lies in auditing and verification. Organizations that regularly perform vulnerability assessments, penetration tests, and technology audits eventually catch system misconfigurations. However, the specific mechanisms mentioned are too slow for today’s cybersecurity threats.

I am not suggesting we dump, minimize, or reduce those mechanisms, quite the opposite. Everyone should be doing more of those things. At a minimum, new systems, servers and software need to be audited before they go to production. In reality, all should be audited before the technical team can place it into staging (the three-step development/implementation cycle: development, staging, production).

Auditing should be performed by individuals and/or organizations not affiliated with the system, its installation, or as a beneficiary of the new system. It should be assessed by someone who is incentivized to find problems; perhaps by a competitor, a third-party contractor, or cybersecurity club or organization.  Have the third party simply test the system/server. This is not a vulnerability assessment or a penetration test per se, it is simply checking for configuration errors which is a very different process.

In the case of Capital One, the issue seemed to be that the attack exploited a mis-configured web application firewall.  Could the breach have been prevented if Capital One had implemented auditing procedures of their security configurations?  We will never know but it stands to reason that it would have helped.  Maybe they should change their slogan to “What’s in your Configuration?”.

The Tech Data Solution

While there is no silver bullet to mitigating every possible mis-configuration or vulnerability in a corporate network, Tech Data has developed a set of solutions and services to assist our partners in the journey.  For example, Tech Data has a network of service providers who can provide various types of audits and solution implementations to ensure security systems are configured properly.

In addition, Tech Data is about to open its first Tech Data Cyber Range (TDCR) towards the end of the year. The mission of the TDCR will have three components.  First, we will train/enable our partners and their customers with expert cybersecurity skills by providing hands-on practical exercises and experience. Second, we will provide demonstrations of security technology from many of our security vendors.  Third, we will provide a place of cyber engagement for partners and their customers to learn about the many types of cybersecurity jobs available and interact with likeminded cybersecurity professionals.

For more information about the many Security technologies, services and solutions available from Tech data, please reach out to your Tech Data sales representative or email us at SecurityServices@techdata.com .

About the Author

Brett Scott serves as director of security solutions for Tech Data where he is responsible for new supplier research and recruitment. Brett is the co-founder and technical architect of the Arizona Cyber Warfare Range, a non-profit organization leading the country in teaching hands-on cyber security skills in a real-world environment to those motivated to develop real competence in cyber security. A hands-on leader with years of experience leading technical teams, Brett has worked in an array of industries and is an expert on cyber security issues facing companies today.

Tags: Cybersecurity, Cloud Security, Data Breach, Breach, Misconfiguration