The Insiders – A Look at the Capital One Data Breach

In July, Capital One reported a breach that compromised the personal information for about 100 million customers. A former employee of a third-party service stole the data earlier in the year and Capital One initially discovered the theft from a tip.  While data breaches and cyber attacks are now almost routine news, this incident serves as a reminder that insider threats are very real and very damaging. This breach exploited the gap in the processes and provisions in place to manage privileged insiders.

In the case of Capital One, personal information was stolen from cloud servers and posted on GitHub. The compromised data included names, addresses, phone numbers, email addresses as well as some Social Security Numbers and bank account numbers. The alleged attacker, who was a former systems engineer with Amazon Web Services, was an insider who knew how to take advantage of a web application firewall misconfiguration to query and acquire the necessary credentials to access the data stored in Amazon Web Services (AWS) Simple Storage Service (S3) buckets.

Security and data privacy teams typically focus on deterring external attackers using encryption, strong authentication, firewalls and IDS/IPS techniques. For those external attackers who do bypass perimeter security measures and succeed in getting into the enterprise landscape, there are still some reconnaissance activities to perform to find the right data and get the right access before the actual breach or attack occurs.  These routine discovery activities that happen in a typical external attack lifecycle will trigger other security measures and alerts to effectively deter or mitigate those attacks.

The threat from internal users can be harder to detect and even more difficult to manage.  The insider will know how the applications and systems work, how data is maintained and accessed in the cloud or on-premise and how to navigate the internal processes. The Capital One scenario highlights that the privileged insider can be past or present employees, contractors, or third-party providers such as public cloud infrastructure companies.

Enterprise security and user provisioning remain complicated and challenging undertakings. Many organizations typically have some on-boarding processes to ensure that the new employees, contractors and vendors have the right access to corporate services. However, often there is not a sufficiently mature process for the deprovisioning of users as part of the off-boarding process. In addition, manual controls are not enough for granting/revoking permissions, reviewing user access and auditing the user activities at a granular level for all users and especially for super users handling emergency and firefighter activities.

Are you doing enough to secure your enterprise from insider threats? Learn how Pathlock Insider Threat solutions can automate, audit and monitor user provisioning and user activities within your business-critical applications.