Understanding Capital One’s Cybersecurity Crisis Response

Major security breaches tend to make the news for all the problems caused by the attack—but what about what we can learn from the solutions?

Major security breaches tend to make the news for all the problems caused by the attack—but what about what we can learn from the solutions?

In March, a data breach to Capital One servers exposed the personal information of nearly 106 million customers and applicants. The breach included about 140,000 Social Security numbers and 80,000 linked bank numbers along with names, addresses, dates of birth, credit scores, and transaction data.

But while the incident was indeed severe, security experts weighing in believe that actions taken by Capital One prevented it from becoming another example of extreme negligence in corporate cybersecurity. So this week, we’ll be examining what they did right.

Rapid Recognition

The official FBI complaint details that attacker Paige Thompson allegedly pulled gigabytes of personal information from Capital One’s systems by taking advantage of a misconfigured firewall. After she posted about her actions on GitHub, someone alerted Capital One with a vulnerability disclosure email, and law enforcement arrested Thompson twelve days later.

Considering the average time for a breach to be discovered is 297 days, Capital One’s brisk response demonstrates the impact of having security measures in place.

The aforementioned vulnerability disclosure email is part of a program that allows members of the public to send tips to Capital One when they suspect a breach, or other suspicious activity. According to a 2018 report from HackerOne, 93% of companies in the Forbes Global 2000 list don’t have a vulnerability disclosure policy, which puts Capital One ahead of the game.

Cloud Computing…

Many companies have already embraced cloud computing as the future of business and, in the case of Capital One, data storage. The bank made use of a public S3 bucket—a basic feature of Amazon’s cloud offerings—to store sensitive information, such as PII from credit card applications dating back to 2005.

The question is, why would it entrust that sort of data to a feature that was public, and therefore accessible? The answer may lie in its IT footprint. As large companies like Capital One move to the cloud, their IT teams are forced to try and mix security with inventory management. And with countless pieces of data to be monitored, it’s all too easy for something to slip through the cracks—even if monitoring is at 99%, an as-of-yet unheard of achievement.

Yet Capital One’s deployment of post-compromise protections, such as tokenizing Social Security and bank account numbers, proves the company understands that they may not be able to watch every piece of data in the cloud. Instead, they were prepared with security measures to address the endpoint vulnerabilities that Thompson targeted.

… And Silver Linings

If we can learn anything from the Capital One breach, it’s that the power of preparedness is not to be underestimated. Keeping your data safe and your business compliant should always be a priority, and BAI Security can help with advanced techniques and solutions influenced by real-world experience.

We provide the following key services as part of our IT Security Assessment:

  • Vulnerability and Penetration Testing
  • Extensive Firewall Evaluation
  • Social Engineering Evaluation
  • Antivirus Best Practices Evaluation
  • Network Security Best Practices Evaluation
  • Remote Location (Branch) Evaluation
  • Remote Access Evaluation
  • Telco-Testing/War-Dialing Evaluation
  • Wireless Security Evaluation

Contact us today to keep your business safe, secure, and ready for anything.