As we now know from the Capital One breach, Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications, in excess of 30GB representing more than 140,000 Social Security Numbers, 1M Social Insurance Numbers (associated with Canadian credit card holders), and 80,000 bank account numbers accepted by Capital One Financial Corp. Much of the initial speculation of the hack has been confirmed resulting in the July 29th arrest of Paige A. Thompson by FBI agents on suspicion of the crime. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.
Key points from a release on the Capital One site include:
- "Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised"
- "The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019"
- "This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income."
Unfortunately, but is often the case, the actual revelation came from an external source that specified Capital One had data stored on a development platform, Github, and associated data store on a S3 (term associated with Amazon Web Services) storage instance. The FBI says Capital One learned about the theft from a July 17, 2019 email.
Hygiene observations for organizations and enterprises:
Observation #1: Sometimes offenders aren't as smart as you think. The Github account was for a user named "Netcrave", which had the resume and name of Paige A. Thompson.
Observation #2: Unprotected data will be found (in your possession, your partners, or those that stole it from you).
Observation #3: Third parties are the new attack surface. Paige was, at one time, an AWS employee.
Observation #4: The cloud can be as secure, or insecure, as any traditional IT infrastructure. I'm an advocate of Digital Transformation and leveraging cloud within that transformation. However, bad hygiene on digital transformation processes to cloud, third-party vendor management, and the actual hygiene of your cloud instance is no less challenging than traditional IT. Those that say cloud is more secure are fooling themselves.
Observation #5: Insider threats (current or past employees) come and go, but it's a critical element of managing your security. Whether you are applying proper identity controls or governance, it is critical to manage your employee base, and those that have access to your infrastructure – mobile, on-premises, or in the cloud.
Observation #6: Other elements – multi-factor authentication, encryption of data in transit and rest, proper firewall and edge management – are still important, even in the cloud. Key management helps protect against many hygiene issues. Continuous monitoring and scanning should be layered in when authorized, otherwise unintended authorized user or systems can gain access.
Observation #7: Even when you do everything 'right' (invest in security, have great people, and take precautions) basic hygiene – misconfiguring a firewall – can bite you.
Observation #8: Once targeted, you'll always be targeted. Attackers sometimes increase their sophistication and try to find a new "Hollywood" way in since you've improved your security practices, they can typically still rely on the path of least resistance (human error/bad hygiene). It's only a matter of time until someone makes a mistake, and it's how quickly they can identify and address it.
Observation #9: Cybersecurity is a board-, executive-, and individual employee-level (and everywhere in between) problem.
Hygiene learnings for Hackers:
Observation #1: Even hackers need data protection and follow best practices for IT and security hygiene.
Observation #2: Valuable data will be found on the Internet when not protected – even when you don't own the data. Think of the value decline of the data if everyone else who wants it can get it cheaper from someone else who didn't even take the same risks.
Observation #3: If you're going to steal data, don't brag about your techniques. Paige had several tweets under her twitter account "ERRATIC" that reportedly noted she had learned how to access S3 instances and, specifically, how to compromise accounts.
Observation #4: Highlighting employment issues and complaining about prior employers is kind of a red flag in an industry where attracting and retaining great employees is top of mind for organizations.
Observation #5: Good news is you might get a government job where you will be closely-supervised and monitored during and after work so you're not tempted to do bad again. Everyone deserves a second chance, right?
While a bit tongue-in-cheek for the hacker side, there are important observations here in basic hygiene, and how lack of security hygiene can bite you.
# # #
Learn more about Digital Risk Management, Dynamic Workforce Risk, and Third-Party Risk. Continue to watch this space for more insights from Doug Howard on security hygiene in a hyperconnected world.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity