It seems like almost every day brings news of another large, high-profile hack affecting millions of Americans and other users around the world. Though wide-reaching hacks affecting large companies and millions of users are more likely to make the news, the reality is that cybercriminals are increasingly targeting small and medium-sized organizations as well.
Cybercriminals are constantly evolving and changing their tactics in the hopes that they can stay ahead of cybersecurity experts. Looking back on high-profile hacks like the CapitalOne hack can give us insight into how cybercriminals operate and help us craft robust cybersecurity policies that allow us to approach cybercrime in a way that works to preemptively safeguard digital assets.
The CapitalOne hack occurred on March 22nd and 23rd of this year but was not discovered by CapitalOne until July 19th. The incident affected credit card applications as far back as 2005. The hacker, Paige Thompson, is accused of breaking into a CapitalOne server and gaining unauthorized access to 140,000 Social Security Numbers, 1 million Canadian Social Insurance Numbers, and 80,000 bank accounts. She is also accused of accessing an undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information according to CapitalOne and the US Department of Justice. In total, the breach affected approximately 100 million Americans and 6 million Canadians.
As of the writing of this article, she is still awaiting trial.
Ms. Thompson, a former software engineer for Amazon, was able to gain access to the private server by exploiting a misconfigured firewall. The server is run by Amazon Web Services (AWS).
What We Learned
Ms. Thompson was able to gain access to CapitalOne’s private AWS server by exploiting a misconfigured firewall, which she was able to trick into granting her access to critical back-end resources. The misconfigured firewall was not only vulnerable, but it had also been granted more permissions than it should have. This allowed Ms. Thompson to view a wide selection of files and read their contents. She was also allowed to export private information, thereby stealing sensitive CapitalOne customer data.
The type of vulnerability Ms. Thompson exploited is a well-known method called a Server Side Request Forgery (SSRF) attack. In this case, the server was tricked into running commands that it should never have had permission to run in the first place.
The CapitalOne hack taught us that even seemingly minor vulnerabilities can be exploited and that overly generous permissions pose a hazard. CapitalOne was also not aware of the breach until it was reported to them by someone who saw that Ms. Thompson had posted the private CapitalOne data on her GitHub page. If they had been monitoring their systems more closely, they might have been able to detect the breach right away instead of being made aware of it by a good Samaritan months later.
What Can You Do to Protect Your Organization
The best thing you can do to protect your organization from hacks like the CapitalOne hack or any other cybersecurity incident is to be vigilant and take a preemptive position. It is always better to safeguard against potential threats than deal with breaches and hacks after they have already occurred.
Ensure Firewalls and Other Software is Up to Date
One of the simplest things you can do to protect your organization’s digital assets is to keep your software up to date. This includes cybersecurity specific software such as anti-virus software as well as the software your organization uses to conduct its everyday business.
When software companies detect flaws in their products, they release patches, which are small snippets of code designed to patch vulnerabilities or fix bugs. Cybercriminals look for these patches because they show them exactly where exploitable vulnerabilities exist in out-of-date software.
By keeping your software up to date, you can take advantage of these security fixes, making it more difficult for cybercriminals to gain unauthorized access to sensitive or proprietary data.
You should also review your cybersecurity protocols regularly so that they can be updated or adjusted according to your evolving needs. Regular reviews and audits also help ensure that your employees know how to spot suspicious activity, and whom they should report it to.
The CapitalOne server was granted too many permissions, which allowed Ms. Thompson to view and export large amounts of sensitive information. Should your organization experience a hack, limited permissions can help limit cybercriminal access.
By limiting permissions for both software and employees to only what these entities need to complete their jobs you make it more difficult for a cybercriminal to access sensitive or proprietary sections of your infrastructure, slowing them down and limiting the damage they can inflict. Slowing cybercriminals down helps ensure that their activities are noticed before they can cause too much damage or gain access to other systems.
You can’t mount an effective defense against a cyberattack if you don’t know one is happening. By monitoring all traffic on your network, both within the network and between your network and the Internet or other external programs, you can better keep an eye out for suspicious activity.
You should also make sure that the employees responsible for monitoring your systems have the appropriate training to recognize suspicious activities and either report them or investigate them themselves.
Have an Official Offboarding Process
Ms. Thompson knew the vulnerability was there because she had worked as a software engineer for Amazon, who owned and maintained the server used by CapitalOne. Though Ms. Thompson had to hack her way into the server, too many companies don’t have proper offboarding processes in place to revoke permissions for former employees.
By making sure you have proper procedures in place to revoke access to your organization’s systems, you can help prevent disgruntled former employees from using their permissions to gain unauthorized access.
Consider an MSSP
Keeping your software up to date and limiting permissions are both critical, but will only get you so far. To stay one step ahead of cybercriminals, you need to ensure that your current cybersecurity protocols are both robust enough to safeguard your digital assets effectively and flexible enough to adapt to the ever-changing cybersecurity landscape.
Not every organization is large enough to support an in-house cybersecurity team, and that is okay. A Managed Security Services Provider (MSSP) consists of a team of cybersecurity experts, who can help you create tailor-made cybersecurity solutions to meet your organization’s unique needs, provide employee training, monitor your systems for suspicious activity, and help you limit or even avoid damage should a cybersecurity incident occur.