Announced by Capital One Financial Corporation themselves on the 19 July 2019, it was determined that unauthorized access by an external person “obtained certain types of personal information”. Due to a cloud misconfiguration a hacker was able to access Social Security numbers, bank account numbers. This was all due to an employee’s “misconfigured web application firewall.” But sadly, Amazon is taking a massive reputational hit due to the media spreading news of an AWS (Amazon Web Services) breach, when in fact it is actually a Capital One misconfiguration.
Breaches can not only cause financial damage for organisations, but there is also the unaccounted for reputational damage, not to mention the immediate effect on your company’s stock prices. A data breach or leak will taint your company’s image and seriously hinder your future customers interest in your products and solutions. Lastly after big breaches there are many court cases and lots of resources lost trying to extinguish the fires, when those resources could be put towards preventing the problem.
This is where we need to understand the nature of attacks because ‘Understanding the threats can help you manage risk effectively’. According to Verizon’s report, the DBIR (Data Breach Investigations Report) of 2019, 72% of attacks are caused by external attacks. This means that a shocking 28% of attacks are caused from internal actors! By now we should know how the majority of outside attacks take place: social engineering, phishing, and denial of service attacks (DOS). The most common internal causes are either ‘privileged misuse’ or ‘miscellaneous errors’. Privileged misuse means unapproved or malicious intent for personal gain and misc errors are simply not setting things up properly and then they get breached. In the case of Capital One the FBI seems convinced that it was malicious due to a hacker boasting of her accomplishments via twitter.
Ways to avoid a data breach (rather than deal with the consequences), as suggested by PaymentsJournal’s Article
- Phishing prevention: Frequent staff training to prevent employees being giving out valuable info, being able to detect scams
- 2FA: Two factor authentication on customer-facing applications and any cloud-based emails
- Monitor system access: Detect privilege misuse, log everything and make it clear to employees that everything is logged.
- Malware monitoring and protection: Monitor systems for suspicious behaviors that indicate botnet or DoS (denial of service) attacks
- Protect: Lastly, even if you think your data is safe because it is internal facing ENCRYPT it, it must be your duty to protect.This article has information gathered from Jason Corcoran‘s article on threatpost found here. This article also has information gathered from Scott Eason‘s article on PaymentsJournal which can be found here.