The “data breach of the year” involved more than 100M files containing sensitive information of consumer credit-card applications at Capital One. The story hit headlines for months, and with much reason—after all, it’s not every day that the social security numbers, bank account numbers, credit scores, and plenty more other sensitive information of millions get exposed.
As 2019 comes to an end, it’s important to reflect on other companies’ successes and, in this case, failures to prevent similar catastrophes from happening again. In this article, we discuss how the Capital One breach happened, why we believe these breaches will continue, and the steps companies and public agencies can take to prevent a similar incident from occurring with your data.
How did the Capital One breach happen?
The attacker was a past employee of AWS and knew the layout of the infrastructure. Realizing that a web application firewall that could have prevented access to the files was not configured, she was able to access these files and the content within them.
Capital One was an avid user of AWS' services; consequently, it would be reasonable to assume that they were using AWS' Key Management Service (KMS), a software-based encryption service, or their CloudHSM, backed by a FIPS-certified cryptographic hardware security module, to encrypt the information. Since the attacker had already reached a privileged location within the infrastructure, it also reasonable to conclude that she was able to assume either a Capital One or an AWS service account to ask the KMS and/or CloudHSM to decrypt the content for her.
Will such breaches continue?
Most definitely. Here’s why:
- Use of passwords: Most of the internet, including the cloud service providers, continue to use an anachronism to determine access to protected resources: shared secrets. These are either passwords or any of the varieties of one-time pins (OTP), knowledge-based answers (KBA), etc. All of the shared secret authentication mechanisms have been attacked and compromised over and over again, with systems using passwords having an 81% probability of being compromised by a data breach;
- Failing to encrypt the right way: Most companies will not encrypt sensitive data unless they are forced to do so. And, when they do, they take short-cuts. J. Maxx used database encryption with the encryption key stored in the database and protected by, you guessed it, a password. Marriott stored encryption key components on the same machine as encrypted data. Heartland Payment Systems never encrypted credit card data. Target did not separate their credit card processing systems from their refrigeration systems allowing attackers to get to sensitive data through password-based accounts of service mechanics monitoring refrigerators. The list goes on and on…
- Most cloud users assume they are protected by their CSP, and consequently, do little to protect themselves: AWS used to have a webpage explicitly stating that users were responsible for the security and compliance efforts of their regulated applications. That page isn’t live anymore—the disclaimer is probably buried within legal clauses in their terms of service.
Any one of these causes is sufficient to result in a data breach. When one or more of these causes are present within an application system, a data breach is inevitable.
How can you prevent a data breach from ever happening to your organization?
The short answer: you can’t. Cyberthreats evolve constantly and rapidly, which means there’s no foolproof solution to all cybersecurity issues. Recognizing this, the best way to protect your organization against data breaches is to make it highly difficult for criminals to access your data in the first place. In the event a breach does happen, your best bet is to make it irrelevant. Here’s how you can do both of these things:
- Password-free authentication: Use powerful protocols, such as FIDO2, in web and mobile applications to enable passwordless authentication and eliminate shared secrets—a magnet for attackers.
- Targeted data encryption: Protect your data by encrypting and tokenizing it in the application layer, the highest layer of the technology stack. This means that data is protected no matter where it travels.
- Data integrity: Digital signatures protect data from being modified by “side-channel” attacks—where someone with access to the database may make unauthorized changes, bypassing rules built into the application. Businesses are assured that users are using accurate data to make business decisions.
- High-assurance key management: By using a FIPS-certified cryptographic hardware module you can ensure that all cryptographic keys generated, stored, and used are protected.
- Hybrid cloud security: Companies’ IT strategies generally leverage the cloud. If this is the case of your organization, find a solution that enables customers to take advantage of the benefits of the cloud, while still maintaining control of your keys in a dedicated secure zone.
Combined, these are formidable defenses designed to protect data against the vast majority of attacks. They work in concert to ensure that even if an attacker is on the network, it would be extremely difficult to compromise data and/or cryptographic keys within the solution.
The Capital One data breach provides important lessons. Keeping them in mind, the steps outlined in this article can help companies become resilient to continual attacks on the internet, finally allowing them to get ahead of the problem.