Why Your Company Could be the Next Equifax or CapitalOne

Though many of us may only hear about big cybersecurity incidents like the Equifax breach of 2017 and the CapitalOne hack of 2019, cybersecurity incidents are becoming increasingly common in the modern world.
Many C-suite executives and other decision-makers likely shook their heads as they read about these and other serious cybersecurity incidents, thankful that that sort of thing could never happen to their organization. Unless you have a flexible and robust cybersecurity strategy in place, stay up-to-date on current threats, and have a post-breach playbook, the unfortunate reality is that your organization could experience a similar beach.

You Aren’t Up to Date on Cybersecurity Threats

You can’t adequately protect your organization and safeguard your digital assets if you don’t know what you are safeguarding your assets from. The cybercriminal landscape is continuously shifting and changing, and new threats are popping up every day.
Cybercriminals don’t work nine to five, Monday through Friday, so your cybersecurity team can’t either. Your team needs to be able to monitor threats 24/7/365.
Safeguarding Your Data

You Aren’t Adequately Safeguarding Your Data

Not only do you need to stay up to date on all potential threats, but you and your team need to have the knowledge and skills necessary to protect your assets and thwart any would-be breaches before they occur. If you do not have an adequate cybersecurity strategy in place to safeguard your data, you are vulnerable to a breach or other cybersecurity incident.

Your Employees Need More Training

Every employee, from the CEO all the way down the ladder, is responsible for cybersecurity. Employees need to understand why cybersecurity is important, what they can do to help safeguard your organization’s digital assets (from selecting strong passwords to reporting suspicious emails), and what they need to do if a breach or other incident occurs.
Not only do employees need to be trained, but their training should be ongoing and reviewed regularly. Tabletop scenarios and pen tests can help your team keep their skills up to date and avoid getting rusty. These scenarios also give your team a chance to test out your current cybersecurity protocols and analyze the efficacy of their response in a zero-risk environment so that they can be better prepared if an incident does occur.
Poorly trained or inadequately trained employees are a security risk, and may not even know they have compromised your cybersecurity or inadvertently caused a breach until the damage is already done.

You Don’t Have an Offboarding Process

While most organizations have a formal, or even informal, onboarding process (sorting out ID badges, assigning desks, signing paperwork), many organizations lack formalized protocols for offboarding employees who are leaving the organization.
When someone leaves your organization, you need to have a formal checklist in place for removing their access to critical systems as well. This includes removing access to internal systems as well as asking them to turn over their keys, ID badge, and any company equipment they were granted the use of during their time with the company.
Post Breach Cybersecurity Plan

You Don’t Have a Post-Breach Plan

Unfortunately, too many organizations don’t have adequate post-breach protocols in place. This means that when an incident does occur both employees and management are ill-prepared to deal with the aftermath. Being unprepared can not only prevent you from properly addressing the breach and shoring up your defenses, but it could cause you to inadvertently run afoul to regulations such as GDPR because you are unable to craft the necessary comprehensive reports.
Reacting poorly to a breach can also harm your reputation and damage the trust you have worked hard to build with clients or customers.

Your Permissions Are Too Permissive

The hacker responsible for the CapitalOne hack may have used her insider knowledge of Amazon Web Service’s systems to exploit a bug and gain unauthorized access to CaptialOne’s private servers, but once she was inside it was CapitalOne’s excessive permissions that allowed her to gain access to the data of nearly 100 million Americans.
The way CapitalOne had configured their internal permissions meant that once the hacker was inside, she encountered almost no resistance and was able to easily view and read a wide selection of private files, and export them. By implementing policies such as zero-trust architecture, you can contain a hacker and prevent them from moving freely about the system should they be able to gain access. Zero-trust architecture works like RFID keycards: you need to verify who you are each time you try to access private or sensitive areas of the system.

An MSSP Can Help

All of this may seem overwhelming. Cybersecurity is complicated, and there are a lot of things you need to consider to ensure that your organization’s digital assets remain secure. A good Managed Security Services Provider (MSSP) can help you craft tailored cybersecurity strategies to meet your needs, monitor your systems 24/7/365 for potential threats, provide ongoing support, help you train your employees, and help you mitigate damage and ensure compliance if a cybersecurity incident does occur.

The Capital One Hack: The Latest in a Series of High-Profile Breaches

It seems like almost every day brings news of another large, high-profile hack affecting millions of Americans and other users around the world. Though wide-reaching hacks affecting large companies and millions of users are more likely to make the news, the reality is that cybercriminals are increasingly targeting small and medium-sized organizations as well.
Cybercriminals are constantly evolving and changing their tactics in the hopes that they can stay ahead of cybersecurity experts. Looking back on high-profile hacks like the CapitalOne hack can give us insight into how cybercriminals operate and help us craft robust cybersecurity policies that allow us to approach cybercrime in a way that works to preemptively safeguard digital assets.

What Happened?

The CapitalOne hack occurred on March 22nd and 23rd of this year but was not discovered by CapitalOne until July 19th. The incident affected credit card applications as far back as 2005. The hacker, Paige Thompson, is accused of breaking into a CapitalOne server and gaining unauthorized access to 140,000 Social Security Numbers, 1 million Canadian Social Insurance Numbers, and 80,000 bank accounts. She is also accused of accessing an undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information according to CapitalOne and the US Department of Justice. In total, the breach affected approximately 100 million Americans and 6 million Canadians.
As of the writing of this article, she is still awaiting trial.
Ms. Thompson, a former software engineer for Amazon, was able to gain access to the private server by exploiting a misconfigured firewall. The server is run by Amazon Web Services (AWS).

What We Learned

The Capital One Data Breach
Ms. Thompson was able to gain access to CapitalOne’s private AWS server by exploiting a misconfigured firewall, which she was able to trick into granting her access to critical back-end resources. The misconfigured firewall was not only vulnerable, but it had also been granted more permissions than it should have. This allowed Ms. Thompson to view a wide selection of files and read their contents. She was also allowed to export private information, thereby stealing sensitive CapitalOne customer data.
The type of vulnerability Ms. Thompson exploited is a well-known method called a Server Side Request Forgery (SSRF) attack. In this case, the server was tricked into running commands that it should never have had permission to run in the first place.
The CapitalOne hack taught us that even seemingly minor vulnerabilities can be exploited and that overly generous permissions pose a hazard. CapitalOne was also not aware of the breach until it was reported to them by someone who saw that Ms. Thompson had posted the private CapitalOne data on her GitHub page. If they had been monitoring their systems more closely, they might have been able to detect the breach right away instead of being made aware of it by a good Samaritan months later.

What Can You Do to Protect Your Organization

The Capital One Data Breach
The best thing you can do to protect your organization from hacks like the CapitalOne hack or any other cybersecurity incident is to be vigilant and take a preemptive position. It is always better to safeguard against potential threats than deal with breaches and hacks after they have already occurred.

Ensure Firewalls and Other Software is Up to Date

One of the simplest things you can do to protect your organization’s digital assets is to keep your software up to date. This includes cybersecurity specific software such as anti-virus software as well as the software your organization uses to conduct its everyday business.
When software companies detect flaws in their products, they release patches, which are small snippets of code designed to patch vulnerabilities or fix bugs. Cybercriminals look for these patches because they show them exactly where exploitable vulnerabilities exist in out-of-date software.
By keeping your software up to date, you can take advantage of these security fixes, making it more difficult for cybercriminals to gain unauthorized access to sensitive or proprietary data.
You should also review your cybersecurity protocols regularly so that they can be updated or adjusted according to your evolving needs. Regular reviews and audits also help ensure that your employees know how to spot suspicious activity, and whom they should report it to.

Limit Permissions

The CapitalOne server was granted too many permissions, which allowed Ms. Thompson to view and export large amounts of sensitive information. Should your organization experience a hack, limited permissions can help limit cybercriminal access.
By limiting permissions for both software and employees to only what these entities need to complete their jobs you make it more difficult for a cybercriminal to access sensitive or proprietary sections of your infrastructure, slowing them down and limiting the damage they can inflict. Slowing cybercriminals down helps ensure that their activities are noticed before they can cause too much damage or gain access to other systems.

Monitor Everything

You can’t mount an effective defense against a cyberattack if you don’t know one is happening. By monitoring all traffic on your network, both within the network and between your network and the Internet or other external programs, you can better keep an eye out for suspicious activity.
You should also make sure that the employees responsible for monitoring your systems have the appropriate training to recognize suspicious activities and either report them or investigate them themselves.

Have an Official Offboarding Process

Ms. Thompson knew the vulnerability was there because she had worked as a software engineer for Amazon, who owned and maintained the server used by CapitalOne. Though Ms. Thompson had to hack her way into the server, too many companies don’t have proper offboarding processes in place to revoke permissions for former employees.
By making sure you have proper procedures in place to revoke access to your organization’s systems, you can help prevent disgruntled former employees from using their permissions to gain unauthorized access.

Consider an MSSP

Keeping your software up to date and limiting permissions are both critical, but will only get you so far. To stay one step ahead of cybercriminals, you need to ensure that your current cybersecurity protocols are both robust enough to safeguard your digital assets effectively and flexible enough to adapt to the ever-changing cybersecurity landscape.
Not every organization is large enough to support an in-house cybersecurity team, and that is okay. A Managed Security Services Provider (MSSP) consists of a team of cybersecurity experts, who can help you create tailor-made cybersecurity solutions to meet your organization’s unique needs, provide employee training, monitor your systems for suspicious activity, and help you limit or even avoid damage should a cybersecurity incident occur.

Recapping DerbyCon 8.0

Written by Tianyi Lu, Chief Architect
Compared to larger security conferences, such as Def Con or Black Hat, DerbyCon is more intimate. For me, this means that I’ll have more opportunities to engage speakers and have meaningful conversations. This intimacy is by choice: the conference is quite exclusive, with tickets selling out within minutes of being released.
If you’ve never attended, DerbyCon is held annually in Louiseville, KY and is typically attended by several thousand attendees that range from individual cybersecurity contractors to high-level security architects from major companies like Facebook, Google, Twitter, Walmart, and so on.
Moreover, it’s rumored that undercover agents from the NSA, FBI, and CIA are in attendance every year.

Seeing Red

Compared to other conferences, DerbyCon is heavily focused on the red team, with most of the talks being about exploits, how specific exploits/malware operate, and the TTPs (Tactics, Techniques, and Procedures) that malicious actors – members of the “red team” – utilize.
Understanding how malicious actors – the “red team”, as it were – operates is important in understanding how to defend against them. 
The blue team – cybersecurity firms and defenders (like us) – are constantly working to reverse engineering the thinking and reasoning employed by the red team. This is a constant struggle that we must participate and lead if we are to be successful in keeping the web – and our clients – secure.

Takeaways From a Talk About App Security

Tech companies value their security and the security of their users. No company wants their name, product, or operating system tied to the next big breach.
In one interesting talk I attended, Apple described their new built-in security features in the latest version of MacOS. Called code signing applications, it effectively acts as a digital notary. Developers seeking to create a new app for the Mac or iOS ecosystem are required to register with Apple and have a valid developer ID. This ID works with a security agent on the Mac (called the Gatekeeper) and is designed to ensure that the apps users are downloading are legitimate and safe.
Unfortunately, Gatekeeper is quite easy to bypass and thus doesn’t provide more than a cursory level of security. This is a prime example of why it’s important to take security seriously and be diligent. Even though device manufacturers go to lengths to secure their products and ecosystems, the red team is working just as hard to circumvent them.

Cat and Mouse

Every year DerbyCon unveils several 0-day exploits. These exploits – security gaps found in code that haven’t been patched or discovered by their respective vendors – represent a very real risk to people and organization utilizing the affected software. These exploits are not created by DerbyCon, but are “released” in that security professionals and researches disclose them publicly for the first time.
0-day exploits are particularly dangerous because the red team often takes advantage of them, using them in ways and antivirus/antimalware software often doesn’t recognize.
As usual, it’s an ever-evolving game of cat and mouse. As there is no singular security tool that can subdue the reds, we reply on changing the economics of an attack via a “security in layers” approach. Given that no one method or tool is invulnerable, this layered approach has demonstrated itself to be the most economical and effective way of approaching security.
By having many layers of defenses that work in concert with each other, you deter attackers and make yourself an unappealing target. Resources are limited, and carrying out an attack requires a financial and labor commitment. By being more secure than your peers, you become a less appealing target, and attackers will shift their efforts elsewhere.

We’ll See You at DerbyCon 2019!

All told, this years DerbyCon was an eventful one with great information and excellent opportunities to connect with security professionals from all over the United States (and the world). We will be back again next year.
Until next time!