Presentation

Introduction

The Capital One Breach case involves an attacker who tried to access the company’s data on 12th March, 2019 over the VPN Company IPredator from a TOR endpoint. Thompson’s GitHub comprised specific server IP addresses that were used in stealing WAF-Role credentials. Exploiting the vulnerability of a Server-Side-Request-Forgery is a common method of compromising the role of a server (Neto et al., 2020). There are various physical, administrative and technical controls that were not secured hence leading to this security breach which include:

Capital One breach can be attributed largely to a configuration vulnerability. Proper configuration would have ensured that no unauthorized individual is able to access data that the company had stored on the servers that are being maintained by the cloud provider. Proper configuration would ensure that firewalls automatically sense and halt connections from sources that are not trusted. This indicates that someone forgot to properly configure the firewall. Conducting a proper testing of penetration would have helped in detecting the vulnerability in advance. Thompson downloaded terabytes of client information which could have easily been detected through proper configuration of IT monitoring system by IT system administrators to raise alarms on normal and abnormal thresholds. These security control could have helped show spikes on Network In and Out metrics. Such thresholds could inform administrators hence decreasing the impact of the breach.

Proper knowledge of Infrastructure

This refers to having complete knowledge of the users who can access what, and why these users are permitted such access. The company’s WAF-Role was permitted to access application data on credit cards. The WAF-Role might need access to list Capital One’s buckets, however, the question that persists is whether web application firewall requires access to be permitted to download buckets comprising private information on customers.

Application of the Principle of Least Privilege Model

There is need to delegate permissions over roles to ensure that one only accesses the resources required. There is also need to watch out for users that are overly-powerful as well as new or strange behavior in the organization. This is often performed in on-premises environments.

Separation of Resources

The cloud offers users unlimited space for storage which should be used, however, just like it is not advisable to have a proxy server, codebase on-premise and database on the same machine; The company should not have both private client information and WAF in the same bucket. It is also not advisable to have credit card web applications and WAF running on the same server whereby both parties justify their role to own permissions for the bucket (How to Secure Authorization in the Cloud, 2019).

Managing all Organization Entities

The company is one of the biggest users of AWS, developed Cloud Custodian, which is a rules engine for the management of public cloud resources and accounts (Cloud Custodian, n.d). The company should have been used to inform company officials of the suspicious activities that WAF-Role had made. There could be a possibility that it was granted permission by Thompson. Moreover, it is also possible that the commands were being run from within the server. However, WAF-Role had been allowed access to the files and this ought not to have occurred from an external IP as was observed.

Constantly Updating the Infrastructure

Amazon presents a WAF remedy which incorporates CloudFront in blocking suspicious commands before they are received by the servers. In the case of Capital One, Thompson possessed a server’s P address and, therefore, he did not have to pass through CloudFront. The use of this serve could have gone a long way in ensuring that Thompson does not gain access to the server’s public address hence blocking his requests. Amazon has constantly updated and introduced better security products to be used by its clientele (FAQs, 2020). Capital One ought to have consistently stayed updated with Amazon’s latest technologies and observed recommendations of security to ensure that cyber-attacks are always prevented.

Conclusion

Public cloud has significantly enabled numerous businesses, however, it also presents several blind spots and security challenges. Applications and services being offered are exponentially increasing making permission sets, access logic, risks and capabilities harder to effectively manage. Authorization should not be considered as an ability that is nice to have, it is a critical aspect. Access and permissions of various identities ought to be clearly defined and cautiously verified to avoid breaches. Failure to do this might result in catastrophic and, at times, irreversible damages.

References