It was just about a year ago that we wrote about the Capital One breach. The personal information for approximately 100 million customers was compromised. The company is still dealing with the aftermath as the Office of the Comptroller of the Currency just announced an $80 million fine. They blamed the company for failing to keep customer data secure while it was hosted in the cloud.
According to the agency’s press release, “The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
A former employee of a third-party service stole the data and Capital One initially discovered the theft from a tip. While data breaches and cyber attacks are now almost routine news, this incident serves as a reminder that insider threats are very real and very damaging. This breach shows just how easy it is to exploit the gap in the processes and provisions in place to manage privileged users.
In the case of Capital One, personal information was stolen from cloud servers and posted on GitHub. The compromised data included names, addresses, phone numbers, email addresses as well as some Social Security Numbers and bank account numbers. The alleged attacker was an insider who knew how to take advantage of a web application firewall misconfiguration to query and acquire the necessary credentials to access the data stored in Amazon Web Services (AWS) Simple Storage Service (S3) buckets.
The threat from internal users can be harder to detect and even more difficult to manage. The insider will know how the applications and systems work, how data is maintained and accessed in the cloud or on-premise and how to navigate the internal processes. The Capital One scenario highlights that the privileged insider can be past or present employees, contractors, or third-party providers such as public cloud infrastructure companies.
Now think about how difficult it is to find a privileged user performing unauthorized activities. That typically requires viewing hours and hours of a privileged user’s recorded screen activities. Add on top of that how many privileged users there are at the company. How productive is that for a team to spend so much time staring at the screen instead of focusing on core business initiatives?!?
Capital One was fortunate to receive a tip based on the hacker bragging about the breach. But what if they had a solution in place that could prevent authorized privileged users from doing unauthorized things? What if instead of watching endless videos of privileged user activity, you could simply view a complete audit trail? Click here to learn more.