Capital One Data Breach and Incident Response
Date: 4 August 2019
Capital One Breach - So Are you Prepared?
A breach is an inevitability and this blog is not about slamming Capital One. Instead, we try to provide some tangible guidance. Our network of practitioners Krisztian Kenderesi, Lorraine Dryland, Marcus Burkert, Matt Hardy and Sean Turner, Hussein Bahgat, Mihir Joshi, Helen Rabe and Dan May have also shared their insights and opinions.
This is Capital One's Golden Hour! What would you do?
This is Capital One's Golden Hour - The period where there is panic and chaos and what you do here can make or break your organisation.
The pressure is unbearable. The hunt for answers is relentless. The demand for FACTS is critical. For outsiders, it's easy to opine and as they say, hindsight is 20/20. The fact is we are not in Capital One now. Let's ask ourselves if we are prepared? What would we do when hit with a breach of this magnitude?
(Our GCHQ-Certified Cyber Incident Planning & Response Workshop covers this topic in detail - Click here for more information)
What's in this blog?
- Capital One Data Breach - What We Know
- Why a plan is NOT enough.
- 8 Points for an Effective Cyber Incident Response Plan.
- Stop Beating Capital One!
- Comments from Cyber & Privacy Practitioners.
The Capital One Data Breach - What we know.
|July 19, 2019, was when Capital One determined it had been breached.||
Capital One has decided to call this attacker is sophisticated (for now at least) Notice no HTTPS link (Click here)
|The alleged attacker has been caught! (Click here for the US Department of Justice details on the case.)||
The initial complain PDF can be downloaded here.
The charges are only allegations and remember a person is presumed innocent unless and until he or she is proven guilty beyond a reasonable doubt in a court of law.
The Capital One data breach involves 100 million credit card applications and includes 140,000 Social Security numbers and 80,000 bank account numbers.
|According to Capital One - an outsider made them aware of this breach.|
|Encrypted data was decrypted by the hacker (apparently, inadvertently)
Cyber Management Alliance Ltd are the leaders in cyber incident response planning and crisis management and when prospective clients reach out to us for hosting internal Cyber Incident Planning & Response workshops, we hear typical defensive answers like:
“We already have an incident response plan!” OR “We have a major-incident handbook."
The fact is, yes, most organisations will have some sort of incident response plan. The question that we ask, is that plan fit for purpose and is it able to deal with the nuances of a cyber-attack?
Take a look at our 8 Points For an Effective Cyber Incident Response Plan to give you some fresh insights. The questions and topics in the table are the ones we use with our Cyber Incident Response clients.
Is your plan fit for cyber-attacks?
The archaic approach to planning for incidents does not always consider the dynamic nature of cyber attacks. - cyber incidents are different, often difficult to detect and even more difficult to classify.
Does it consider complex and simple scenarios associated with cyber attacks?
Most response plans are rigid and planning focused and forego a crucial element of considering organisation specific scenarios.
Have you considered taking a risk-based approach? To be effective you need to understand your threats, the impact of the risks.
Does it have provisions for a regulations like the GDPR and or NIS?
Based again on the need to consider scenarios, is your plan able to deal with a regulatory (think GDPR, NIS) data-breach?
Can the plan be read and understood during a major crisis?
To say that plans are boring is stating the obvious. Ask yourself, can someone read, understand and carry out the plan during a major-crisis?
How much of the plan focuses on actual response rather than preparation?
Most plans focus on preparation. Nothing wrong with that. Think about and also focus equally on creating response actions in a plan.
Have all the techies and management read it and ratified it?
Ensure that all stakeholders - techies, their managers and non-technical stakeholders have all read and understood the plan.
Did you create your plan on your own?
Most plans are written by one or two people who have the job on creating a mammoth document - often to satisfy a “tick-box” - Have you done the same or did you involve a large cross-section of stakeholders before you created this document?
Is your plan based on certified Cyber Incident Planning & Response training?
Our GCHQ-Certified Cyber Incident Planning & Response workshop lays the foundation of a solid incident response posture in an organisation. During internal workshops we ask that clients invite all stakeholders around the table to ensure maximum participation so that the resulting output if real, practical and effective.
Breaches are probably the only constant today and there are enough people on LinkedIn and elsewhere, the Cyber gurus, who are combing through every thing that Capital One didn't do.
Instead, we propose that you focus on your organisation. Dust off your incident response plans, download our Cyber Incident Planning & Response mind-maps, see what past attendees have said about the how effective this CIPR workshop is and the real benefits it brings to all stakeholders in an organisation.
Use our 8 Points for an Effective Incident Response Plan (above) and review your own plans and strategy.
Respected cybersecurity and privacy practitioners provide their insights and opinions on what should be done to lower the risk of such incidents. Thanks to Matt Hardy, Lorraine Dryland, Marcus Burkert, Krisztian Kenderesi and Sean Turner.
"I do feel for capital one however does appear to be the risk from a third party cloud storage which does change the risk model. Was best practise followed maybe not. CIS and AWS produce good guidance was this checked? I would want to know if I’m placing sensitive data in the cloud it’s appropriately protected. Education around changing risks from moving from on prem to cloud adoption will help."
Matt Hardy (CISO, Ireland)
"Unfortunately, this regrettable case is once again proofing, that despite all the technical and organisational security measures in place, there is no such thing as 100% security. Some of the contributing factors are usually the increasing complexity of applications and infrastructures as well as the enormous pressure on IT departments (think dev-ops etc) for immediate and continuous delivery.
Some of the things you can do to decrease your chances of such incidents are hardening and benchmarking of IT systems and applications and conducting regular internal and external technical security reviews including system configuration reviews."
Marcus Burkert (Senior Cybersecurity Practitioner, Zurich, Switzerland)
"Businesses have to learn that they are only as secure as their weakest link. Just because the data and the operation are in the Cloud, it does not mean that it is secure by default. You have to make sure that the applications you develop and the configuration of the Cloud is following industry best practices and tested! The Cloud is a different beast with new and different challenges! As you can see from this breach, it is enough to have a misconfiguration on one small part of your cloud estate, and that can open the gate for the bad actors to access and siphon out our your valuable data.
How can you be ready? Learn from lessons, support your internal security teams and listen to experts like Cyber Management Alliance! Cyber Risk is an enterprise risk too, so don’t just try to wipe it under the carpet."
Krisztian Kenderesi (Chief Information Security Officer, UK)
The Capital One breach is not the only one of its kind. It may be big in the context of the volume of data but someone taking advantage of a misconfiguration or vulnerability of cloud storage has been happening for years. The main point here is that it is the responsibility of the organisation to secure their data and it would appear that this was not done. Why? Only Capital One will really know. But it is a message to every organisation that has private data in the cloud; it needs to be secured.
There are many reasons for these mistakes, organisational size, maturity in the use of cloud as well as maturity of security in the lines of business (DevSecOps). Regardless of which this will continue to be an issue if we don’t embed security as an enabler and consider it as BAU and not something extra."
Lorraine Dryland (Deputy Director of Technology Security, UK)
Some quick questions to ask yourself:
- Who can create service accounts in IAM, and dish out permissions in your environment
- Do you know who owns every service account and what it’s used for?
- Do you audit IAM users and their roles regularly?
- Are your IAM roles constructed with least privilege in mind?
- Are you wildcarding things for an easy life?
- Does your application or service really need access to the AWS metadata endpoint? If so, does everything on that system implicitly need to share the assigned role, or should you use IAM credentials known only to the service in conjunction with your secret management solution?
Sean Turner (Chief Information Security Officer, UK)
"This incident shows that 100% assurance in Cyber security is not possible and large scale breaches in terms of volume and value are likely to be around for some time. The public and regulatory pressure after a breach is a situation that will show how prepared organizations are to respond.
Often overlooked by organizations until breached is "Breach discovery". This is where an organziation builds a focused programme around existing data and possible breaches and"Ring fences" critical data to limit exposure when breached followed by a proper cloud governance models that is driven by the business and data owners.
The fact is that large breaches will almost always reveal how well business leaders are prepared and co-oridnated to respond and act swiftly to the pressure and inform on their risk managed approach to Cyber security breaches."
Hussein Bahgat (Regional CISO, Africa and Middle East, UAE)
"It’s not the question of how secure we are? The question is that are we ready for something like this?
Misconfigurations, vulnerabilities etc are common and somewhat has become inevitable part of one’s organisation. It’s time that we think like a hacker and see our organisation as a prime target that will eventually help us to defend it well. Every CISO must strive to focus more on Incident Response and Planning. Organisations investing more on breach preparedness have come out to be more confident and successful than those that focus more on technology solutions."
Mihir Joshi (AVP and Lead - Cyber Security, Cyber Risk and Compliance, India)
"Despite the speculation that continues to rage around the Capital One breach one thing remains clear, we appear to not be learning lessons from our past!
If we insist on placing our critical data assets into a public cloud infrastructure then security and IT teams need a strong symbiotic relationship.
Irrespective of your operating model, I believe security needs to drive the conversation (this may prove inflammatory to many of my peers...but it’s my approach and I stand by it) and work with those IT teams to remove the assumptions. I appreciate this is not a simple ask and operational/cost challenges tend to get in the way.
I state the obvious here, but if your strategy drives critical data into public cloud, keep 3rd party risk and this vector at the top of your risk maintenance and regular risk oversight. Cloud may be the board’s long term, cost efficient goal but it isn’t secure by design if you haven’t paid for the service."
Helen Rabe (Global CISO, London, UK)
"On the face of it we’ve seen this all before, large firm loses a massive trove of personal data. The public could be forgiven for becoming desensitised to such headlines whilst wondering whether they have any data left that’s still private.
But some significant details are emerging that we should all heed. Unusually, an arrest has been made; not something we see often. And just 10 days from detection; this is fast moving. No ransomware here, no nation-state espionage, no accidental insider or misconfigured public Cloud. No zero-day exploit.
Despite our best intentions, even firms with the greatest of InfoSec and technical talent at their disposal can’t lock down today’s complex systems. The vulnerability in question was quickly fixed but we’ll never catch them all. What’s worrying for those defending our data is there’s no suggestion of negligence or complacency here, yet still the breach occurs. That’s why response plans considering everything from the initial detection to getting facts and advice to customers are simply a must-have."
Dan May (Head of InfoSec, UK)