Last Updated on March 16, 2023
“Not to worry, our data is safe; it’s in the cloud!” Famous last words that should be filed alongside with, “This ship is unsinkable” prior to this impending collision with an iceberg.
Brian Krebs reported recently that Capital One experienced a data breach and that cause was due to a misconfigured Web Application Firewall, or WAF, on Apache that is hosted on AWS. The misconfigured WAF enabled the attacker to trick the firewall to submit requests to the back-end server which, eventually, resulted with the extraction of customer data.
Authorities investigating the breach they believe they have identified the alleged attacker who was arrested on July 29 and charged her with the theft of Capital One’s customer records. According to the indictment, the former AWS employee successfully implemented what is known as a Server-Side Request Forgery (SSRF.) An SSRF attack tricks a server into believing that an attacker is a legitimate remote user. Once the attacker gets in, the server acts as a proxy that enables the attacker to access the victim’s infrastructure and puts critical data at risk.
There are some silver linings; the following actions enabled investigators to pinpoint the alleged attacker:
- A monitoring tool, called CloudTrail in AWS, enabled Capital One and AWS to identify the incident
- The activity was traced to a specific employee account on GitHub.
- The alleged attacker was boasting of the attack on social media.
Although the firewall configuration failed to prevent the breach, the other controls helped investigators eventually identify who was responsible. These multiple categories of controls are what is known as Layered Security which is employing security controls in all the following areas: governance, identification, prevention, detection, response and recovery. In this case, the detective (monitoring) and response (investigation) controls were enabled to mitigate the impact.
“The first rule is that compliance is not equivalent to security”
Layered Security cannot be stressed enough; technology is not foolproof so it is important to apply controls in other categories that addresses gaps and enables enterprises to protect data. Layered Security is the core principle of virtually every established framework including the International Standards Organization (ISO) 27001 and the National Institute for Standards and Technology Cyber Security Framework (NIST CSF.) Frameworks address the entire spectrum of Layered Security by providing established and tested best practices to minimize the risk to critical data.
The first rule is that compliance is not equivalent to security. Frameworks provide a baseline during all phases of development and operations; they help organizations ensure security is applied where it counts. This does not mean that organizations must follow all requirements to the letter, but instead, to use the requirements as minimal guidelines. ISO 27001 and NIST CSF are what are known as risk-based frameworks; meaning the organization determines their acceptable risk tolerance and implement appropriate controls to achieve that tolerance.
Using the Capital One breach as an example, the following table lists the applicable controls for both ISO and NIST. Note that the table highlights all six of the Layered Security categories:
Activity | Category | ISO 27001 | NIST CSF |
Auditing | Detection | 9.2, A.12.7.1 | PR.AC-1, PR.PT-1 |
Incident Response | Response, Recovery | A.16 | DE.AE-2, PR.IP-8 PR.IP-9, RS.RP-1, RS.CO-1, RS.AN |
Least Privilege Access | Identification | A.9.2.2 | PR.AC |
Logging | Detection | A.12.4 | PR.PT-1 |
Monitoring Privileged Accounts | Detection | A.9.2.3, A.9.2.5, A.9.4.4 | DE |
Candidate Screening | Prevention | A.7.1 | PR.IP-11 |
Patching | Prevention | A.14.2 | NIST Tier 3 |
Qualified Technical and Management Staff | Prevention | A.7.2.2 | PR.AT-1, PR.AT-2 |
Security Integration in Project Management | Prevention | A.6.1.5 | PR.IP-2, PR.IP-3 |
Software Control | Prevention | A.12.5, A.14.2.1 | PR.DS-6, PR.IP-1PR.IP-3 |
Infrastructure Review by Management | Detective | 9.3 | ID.GV-4 |
Management Oversight | Governance | 4 & 5 | ID.GV |
It should be noted that qualifications do not imply blame with any specific individual at Capital One; in some cases, technical experts don’t know how to implement security while in other cases, management mandates that corners be cut to speed delivery. It is not known “who” the root cause was but it is obvious that AWS tools could have been better utilized.
Organizations should also never assume a cloud provider is automatically “secure.” AWS’ security is focused on their physical locations, network infrastructure and security tools. Cloud providers are very clear that it is the responsibility of the client to implement security best practices. Sufficient controls and configurations for one business will not apply to other businesses and since it is impossible to manage the entire security program, cloud providers leave it to the customer to complete that task. Cloud providers can only apply services to help the customer, it is the customer who needs to know how to utilize them.
Relying on technology alone is one common mistake. No software or hardware has a, “Make me secure” button. Like any other trade, it is not the tool itself but the skill of the master craftsman who knows how to properly wield the tool. The best tools in the world are useless if not used or if used improperly and it is wise not to rely entirely on one tool.
Governance is the most critical control of all because no security program will ever be successful without executive management support. Technical experts have the knowledge to implement appropriate technical controls but management must establish the framework so the business may operate. What good will Layered Security do if it prevents the business from operating?
It’s a good bet that Capital One will be evaluating the incident and will review all applicable processes to reduce the possibility of any future breach. A lesson to be learned here is that security is not a one-time process but it must be continually evaluated and improved. Could your organization’s security have gaps in some areas? An honest internal evaluation may yield some unexpected gaps that may save your organization—and your clients’ data—in the long run.