While claiming your Equifax breach settlement, you may have heard about the latest headline-grabbing cyber incident – a poorly configured Amazon cloud database (S3 bucket) at Capital One suffered a data breach that affected 106 million American and Canadian customers and applicants, revealing roughly 140,000 social security numbers (SSNs), 80,000 U.S. bank account numbers, and 1 million social insurance numbers (SINs).
You don’t need to be a sophisticated cybercriminal to know how to break into weak or unsecured open devices. All too often, we see corporate devices leaking sensitive data, and breached files passed around in underground markets stolen from mismanaged technical assets. Paige Thompson, the recently discovered insider threat who previously worked at Amazon as a systems engineer, publicly boasted on social media about hacking into unsecured Amazon databases, not only from Capital One, but also exfiltrating tens of gigabytes of data from other corporations.
Since the incident, Capital One and the FBI were able to find and fix the vulnerability and assess damage quickly. However, customers are still going to be impacted, regardless of the credit monitoring and identity protection services the affected companies will need to provide. Let’s not forget, Capital One and Amazon’s brands are affected as blame begins to get thrown around. So, for many of you, this begs the question: who’s at fault?
The blame game is easy to play. If you remember, a third-party HVAC vendor vulnerability was the cause of Target’s breach. Capital One is being blamed for not properly configuring their AWS buckets and Amazon is being blamed for an insider exposing other companies’ poorly configured databases; whereas Paige Thompson, and other like-minded cybercriminals, are the real culprits exposing consumer and company data.
Here’s the bottom line: Cybersecurity is a team sport. The average American has around five devices connected to the internet. Our identities are increasingly connected to the digital world and companies are collecting and storing personal information now more than ever before, with more personal details.
In my line of work, when monitoring the surface, social, deep and dark web, I frequently find leaking devices and subsequently contact the affected company directly, working with them to secure their vulnerabilities and provide recommendations on mitigation. Five steps I often recommend to proactively protect an organization are as follows:
Get back to basics – Perform basic security hygiene and make sure your systems are up-to-date with the latest patches and security updates. Work with your partners and configure your cloud servers properly. Amazon training is free.
Perform open-source intelligence (OSINT) research – Understand what is being said about you and your organization at all times. Attribute potential adversaries; could they be real threats? What information do they have access to? Know their motive and capability level.
Understand an incident’s blast radius – How was the organization impacted? You may be a casualty from an exposure.
Watch out for squatters looking to take advantage of the breached public – sites such as capitalonecreditcardbreach[.]com, capitalonebreach[.]com, capitalonedatabreach[.]com were all registered on July 30th, 2019 in hopes of targeting the victims of these breaches. Monitor how bad actors can take advantage of your brand and business.
Always use any breach incident as a learning lesson – Learn from other’s mistakes; war game your controls, test your people, processes and technology.
It may be human nature to want to assign blame and pinpoint this latest security incident on a single party, but if we are truly serious about making a concerted effort to prevent an incident of this scale from happening again, or the very least, happening as often as they do, we need to come to the realization that everyone is at fault. There is no scapegoat. We all need to work together and take a more proactive approach to security, otherwise, we will continue ad nauseum reacting to the latest breach.