PPT - Computer Science

Security Controls for Capital One

Controls

Security controls help Companies in ensuring that they always stay protected from cybersecurity threats from their external or externals factors. A company should always invest more time in understanding appropriate data protection measures (Alani et al., 2017). Capital one has several controls in place to protect itself and client data. Foremost, it implements administrative security, which acts as the basic policies and standards that look at how the company manages security. For capital one, it has an acceptable use policy for the employees. The policies give the guidelines of what the employees are supposed to do and what they are not supposed. The company also provides security clearance to new employees and disables accounts when employees leave the company. Additionally, it has the policy to respond to any security incidents or security breach. The company tries its best to maintain and implement these administrative controls during its daily operations to ensure it avoids any security.

Physical controls

The company also implements physical controls as a security measure. The measures are used to prevent and deter unauthorized access to sensitive materials. Thus, the company has biometrics like fingerprints used by employees to enter individual departments within the organization (Novaes Neto et al., 2020). The company keeps tab of all its physical space and access points where it has locks ID badges and surveillance cameras. The organization also keeps track of all its computer resources being connected to the company. It also regulates how employees use or access facilities and assets.

Technical controls

Additionally, the company also implements technical security controls. These controls allow the use of technology in controlling the usage and access of sensitive data over a network or through the physical structures. Thus, the company has tried as much as possible to implement several technologies like smart cards, access control lists, encryptions, and network authentications (Woodruff Sr, 2020). This technology helps the company when it comes to transmitting and maintaining the integrity of data. It also helps combat the cybersecurity risk and vulnerabilities that come with the use of computer resources.

However, despite the various implementations, the company faced a significant cybersecurity threat. The threat was due to physical control, which was not secure enough to prevent the cyber-attack. In the attack, it was discovered that there was a misconfiguration of a WAF, which was designed to avoid unapproved access (Novaes Neto et al., 2020). It allowed commands to be run on the main server. The commands obtained the surety credentials for a role providing further access to storage repositories. The misconfiguration in the company WAF enabled a remote attacker to generate temporary amazon web service (AWS) tokens that could be used to fetch data from an AWS storage service.

When migrating to the cloud, misconfiguration mistakes are common. Since the attacker had full access to web servers, the attacker executed a script of AWS commands used for system administration. This managed to display all the AWS S3 buckets. The command was then followed by the sync command that copied data buckets and folders containing customer data. Thus, the company should always prioritize in education and training of security administrators and teams so that they get prepared to perform to do their jobs. Admins should understand more than just the security tools and controls, but also why they are implemented and the reason for the configurations. The cloud service providers should also ensure their access management and controls limit access to cloud customer’s environments (Pompon, 2016). The customers should also be aware that a comprise is possible and should focus on the administrative- technical and physical access management.

References

Alani, M. M. (2017, November). Prioritizing Cloud Security Controls. In Proceedings of the Second International Conference on Advanced Wireless Information, Data, and Communication Technologies (pp. 1-6).

Novaes Neto, N., Madnick, S., de Paula, M. G., & Malara Borges, N. (2020). A Case Study of the Capital One Data Breach. Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (January 1, 2020).

Pompon, R. (2016). Administrative Controls. In IT Security Risk Control Management (pp. 153-163). Apress, Berkeley, CA.

Woodruff, Sr, S. M. (2020). Practical Cybersecurity Controls for Countering the Insider Threat: A Qualitative Delphi Study (Doctoral dissertation, Capella University).