Capital One Data Breach and Incident Response
Date: 4 August 2019
A breach is an inevitability and this blog is not about slamming Capital One. Instead, we try to provide some tangible guidance. Our network of practitioners Krisztian Kenderesi, Lorraine
Dryland, Marcus Burkert, Matt Hardy and Sean Turner, Hussein Bahgat, Mihir Joshi, Helen Rabe and Dan May have also shared their insights and opinions.
This is Capital One's Golden Hour! What would you do?
This is Capital One's Golden Hour - The period where there is panic and chaos and what you do here can make or break your organisation.
The pressure is unbearable. The hunt for answers is relentless. The demand for FACTS is critical. For outsiders, it's easy to opine and as they say, hindsight is 20/20. The fact is we are not in Capital One now. Let's ask ourselves if we are prepared? What would we do if/when we are hit by a breach of this magnitude?
(Our GCHQ-Certified Cyber Incident Planning & Response Workshop covers this topic in detail - Click here for more information)
What's in this blog?
- Capital One Data Breach - What We Know
- Why a plan is NOT enough.
- 8 Points for an Effective Cyber Incident Response Plan.
- Stop Beating Capital One!
- Comments from Cyber & Privacy Practitioners.
The Capital One Data Breach - What we know.
|July 19, 2019, was when Capital One determined it had been breached.||
Capital One has decided to call this attacker sophisticated (for now at least). Notice no HTTPS link (Click here)
|The alleged attacker has been caught! (Click here for the US Department of Justice details on the case.)||
The initial complain PDF can be downloaded here.
The charges are only allegations and remember a person is presumed innocent unless and until he or she is proven guilty beyond reasonable doubt in a court of law.
The Capital One Data Breach involves 100 million credit card applications and includes 140,000 Social Security numbers and 80,000 bank account numbers.
|According to Capital One - an outsider made them aware of this breach.|
|Encrypted data was de-crypted by the hacker (apparently, inadvertently).
Wait! We have a Plan
Cyber Management Alliance Ltd is a team of leaders in cyber incident response planning and crisis management and when prospective clients reach out to us for hosting internal Cyber Incident Planning & Response workshops, we hear typical defensive answers like:
“We already have an incident response plan!”
“We have a major-incident handbook."
The fact is, yes, most organisations will have some sort of incident response plan. The question that we ask is: Is that plan fit for purpose and is it able to deal with the nuances of a cyber-attack?
Take a look at our 8 Points For an Effective Cyber Incident Response Plan to give you some fresh insights. The questions and topics in the table are the ones we use with our Cyber Incident Response clients.
8 Points for an Effective Cyber Incident Response Plan
Is your plan fit for cyber-attacks?
The archaic approach to planning for incidents does not always consider the dynamic nature of cyber-attacks. Cyber incidents are different, often difficult to detect and even more difficult to classify.
Does it consider complex and simple scenarios associated with cyber-attacks?
Most response plans are rigid and planning-focussed. They forego a crucial element of considering organisation-specific scenarios.
Have you considered taking a risk-based approach? To be effective you need to understand your threats, the impact of the risks.
Does it have provisions for regulations like the GDPR and/or NIS?
Based again on the need to consider scenarios, is your plan able to deal with a regulatory (think GDPR, NIS) data-breach?
Can the plan be read and understood during a major crisis?
To say that plans are boring is stating the obvious. Ask yourself, can someone read, understand and carry out the plan during a major-crisis?
How much of the plan focusses on actual response rather than preparation?
Most plans focus on preparation. There's nothing wrong with that. But it's also important to think about and focus equally on creating response actions in a plan.
Have all the techies and management read it and ratified it?
Ensure that all stakeholders - techies, their managers and non-technical stakeholders have all read and understood the plan.
Did you create your plan on your own?
Most plans are written by one or two people who have the job of creating a mammoth document - often to satisfy a “tick-box” - Have you done the same or did you involve a large cross-section of stakeholders before you created this document?
Is your plan based on certified Cyber Incident Planning & Response training?
Our GCHQ-Certified Cyber Incident Planning & Response workshop lays the foundation of a solid incident response posture in an organisation. During internal workshops, we ask that clients invite all stakeholders around the table to ensure maximum participation so that the resulting output is real, practical and effective.
Conclusion: Stop Beating Capital One, Focus on Your Own Organisation.
Breaches are probably the only constant today and there are enough people on LinkedIn and elsewhere, the Cyber gurus, who are combing through every thing that Capital One didn't do.
Instead, we propose that you focus on your own organisation. Dust off your incident response plans, download our Cyber Incident Planning & Response mind-maps, see what past attendees have said about how effective this CIPR workshop is and the real benefits it brings to all stakeholders in an organisation.
Use our 8 Points for an Effective Incident Response Plan (above) and review your own plans and strategy.
Insights from Cyber & Privacy Practitioners
Respected cybersecurity and privacy practitioners provide their insights and opinions on what should be done to lower the risk of such incidents. Thanks to Matt Hardy, Lorraine Dryland, Marcus Burkert, Krisztian Kenderesi and Sean Turner.
"I do feel for Capital One. However, it does appear to be the risk from a third-party cloud storage which does change the risk model. Was best practice followed? Maybe not. CIS and AWS produce good guidance. Was this checked? I would want to know that if I’m placing sensitive data in the cloud, it’s being appropriately protected. Education around changing risks that arise from moving from on-prem to cloud adoption will help."
Matt Hardy (CISO, Ireland)
"Unfortunately, this regrettable case is once again proving, that despite all the technical and organisational security measures in place, there is no such thing as 100% security. Some of the contributing factors are usually the increasing complexity of applications and infrastructures as well as the enormous pressure on IT departments (think dev-ops etc.) for immediate and continuous delivery.
Some of the things you can do to decrease your chances of such incidents are hardening and bench-marking of IT systems and applications and conducting regular internal and external technical security reviews, including system configuration reviews."
Marcus Burkert (Senior Cybersecurity Practitioner, Zurich, Switzerland)
"Businesses have to learn that they are only as secure as their weakest link. Just because the data and the operation are in the Cloud, it does not mean that it is secure by default. You have to make sure that the applications you develop and the configuration of the Cloud is following industry best practices and is tested! The Cloud is a different beast with new and different challenges! As you can see from this breach, it is enough to have a misconfiguration on one small part of your cloud estate, and that can open the gate for the bad actors to access and siphon out your valuable data.
How can you be ready? Learn from lessons, support your internal security teams and listen to experts like Cyber Management Alliance! Cyber Risk is an enterprise risk too, so don’t just try to wipe it under the carpet."
Krisztian Kenderesi (Chief Information Security Officer, UK)
"The Capital One breach is not the only one of its kind. It may be big in the context of the volume of data but someone taking advantage of a misconfiguration or vulnerability of cloud storage has been happening for years. The main point here is that it is the responsibility of the organisation to secure its data and it would appear that this was not done. Why? Only Capital One will really know. But it is a message to every organisation that has private data in the cloud; it needs to be secured.
There are many reasons for these mistakes - organisational size, maturity in the use of cloud as well as maturity of security in the lines of business (DevSecOps). Regardless of which, this will continue to be an issue if we don’t embed security as an enabler and consider it as BAU and not something extra."
Lorraine Dryland (Deputy Director of Technology Security, UK)
"Some quick questions to ask yourself:
- Who can create service accounts in IAM, and dish out permissions in your environment?
- Do you know who owns every service account and what it’s used for?
- Do you audit IAM users and their roles regularly?
- Are your IAM roles constructed with least privilege in mind?
- Are you wildcarding things for an easy life?
- Does your application or service really need access to the AWS metadata endpoint? If so, does everything on that system implicitly need to share the assigned role, or should you use IAM credentials known only to the service in conjunction with your secret management solution?"
Sean Turner (Chief Information Security Officer, UK)
"This incident shows that 100% assurance in cybersecurity is not possible and large-scale breaches in terms of volume and value are likely to be around for some time. The public and regulatory pressure after a breach is a situation that will show how prepared organisations are to respond.
Often overlooked by organisations until breached is "Breach discovery". This is where an organisation builds a focussed programme around existing data and possible breaches, and"ring fences" critical data to limit exposure when breached followed by a proper cloud governance model that is driven by the business and data owners.
The fact is that large breaches will almost always reveal how well business leaders are prepared and cooridnated to respond and act swiftly to the pressure and inform on their risk-managed approach to cybersecurity breaches."
Hussein Bahgat (Regional CISO, Africa and Middle East, UAE)
"It’s not the question of how secure we are? The question is are we ready for something like this?
Misconfigurations, vulnerabilities etc. are common and have somewhat become an inevitable part of one’s organisation. It’s time that we think like hackers and see our organisations as prime targets that will eventually help us to defend them well. Every CISO must strive to focus more on Incident Response and Planning. Organisations investing more on breach preparedness have come out to be more confident and successful than those that focus more on technology solutions."
Mihir Joshi (AVP and Lead - Cyber Security, Cyber Risk and Compliance, India)
"Despite the speculation that continues to rage around the Capital One breach, one thing remains clear - we appear to not be learning lessons from our past!
If we insist on placing our critical data assets into a public cloud infrastructure then security and IT teams need a strong symbiotic relationship.
Irrespective of your operating model, I believe security needs to drive the conversation (this may prove inflammatory to many of my peers...but it’s my approach and I stand by it) and work with those IT teams to remove the assumptions. I appreciate this is not a simple ask and operational/cost challenges tend to get in the way.
I state the obvious here, but if your strategy drives critical data into public cloud, keep third-party risk and this vector at the top of your risk maintenance and regular risk oversight. Cloud may be the board’s long-term, cost-efficient goal but it isn’t secure by design if you haven’t paid for the service."
Helen Rabe (Global CISO, London, UK)
"On the face of it, we’ve seen all of this before; large firm loses a massive trove of personal data. The public could be forgiven for becoming de-sensitised to such headlines whilst wondering whether they have any data left that’s still private.
But some significant details are emerging that we should all heed. Unusually, an arrest has been made; not something we see often. And just 10 days from detection; this is fast moving. No ransomware here, no nation-state espionage, no accidental insider or misconfigured public cloud. No zero-day exploit.
Despite our best intentions, even firms with the greatest of InfoSec and technical talent at their disposal can’t lock down today’s complex systems. The vulnerability in question was quickly fixed but we’ll never catch them all. What’s worrying for those defending our data is there’s no suggestion of negligence or complacency here, yet the breach occurs. That’s why response plans considering everything from the initial detection to getting facts and advice to customers are simply a must-have."
Dan May (Head of InfoSec, UK)