Cybersecurity experts weigh in on Capital One breach

This week’s news of the breach at Capital One Financial Corp. rocked the world and has cybersecurity experts buzzing to analyze what went wrong and advise others how to prevent similar issues at their own organizations.Private information given to Capital One through credit applications were exposed in a hack that the authorities believe was perpetrated by Paige Thompson, a suspect who was quickly apprehended once Capital One reported the breach to the FBI. Roughly 100 million Americans and 6 million Canadians were impacted.Related Stories:Optiv Survey: 58% of CISOs Believe Experiencing a Data Breach Makes Them More Attractive to Potential EmployersIncluded in the information that was exposed was data like names, addresses, and even in some cases, social security numbers and social insurance numbers.In its statement, Capital One described the security gap that led to the breach as a “configuration vulnerability”. The charge sheet suggests the alleged hacker used a “firewall misconfiguration” to access the data held by an unnamed cloud computing company. Judging from the email sent to Capital One by a white hat hacker, who refers to an S3, it would suggest this was on Amazon AWS. Investigations into the breach have been started by The Canadian Centre for Cyber Security in collaboration with the RCMP, as well as by The Office of the Privacy Commissioner of Canada (OPC).Anyone who thinks they may have been affected by the breach is being urged to call into the respective hotline to report this.There’s been no shortage of advice and analysis from cybersecurity experts from across the industry, and many of them reached out to us this week: Jeff Wilbur, director of the Online Trust Alliance Initiative, The Internet Society“The Capital One incident is the latest in a string of high-profile, high-impact data breaches. The hacker in this case unlawfully gained access to users’ information that was largely unencrypted by exploiting a misconfigured web application firewall – something that could have been prevented. Year after year our analysis shows that more than 90 per cent of data breaches are preventable – in 2018 it was 95 per cent. This is a grave reminder that companies holding personal and sensitive data need to be extra vigilant. The responsibility for good data stewardship lies with everyone in an organization, not just the C-suite or IT security team. Use strong passwords and multi-factor authentication, keep software updated, be careful with email, encrypt/hash and back up your data where ransomware can’t get to it – these basics would prevent a significant percentage of not just breaches, but all cyber incidents.” Tom Kellermann, chief cybersecurity officer, Carbon Black, Inc.“This breach highlights a few important realities for cybersecurity in 2019. First, perimeter-based security measures will not prevent 100 per cent of attacks, 100 per cent of the time. Without visibility into what’s occurring on an enterprise, a business may be completely blind to attacks like this, especially when you consider that Paige Thompson once worked at Amazon as an engineer for the same server business that supported Capital One. Modern threats can come from all domains, including former employees, partners or contractors. A business needs to consider all the potential risks and work to gain visibility across the business into where potential weaknesses exist. Second, it’s absolutely imperative for businesses to be securing their cloud infrastructures and the critical data they hold. Capital One is one of the most ‘cloud-forward’ financial companies in the world; they should be partnering with solution providers who are intimately aware of how to keep the cloud secure. What should not be lost in this is that Capital One is one of the globe’s most recognizable and ubiquitous financial brands that houses critical financial and personal information. As Carbon Black’s research has found, financial institutions are increasingly being targeted by advanced attacks that leverage “island hopping,” lateral movement, counter incident response and fileless attacks. The modern bank heist is now in cyberspace. Capital One customers who are concerned about this breach should keep a close eye on their statements and report any suspicious activity immediately. Customers should also consider signing up for security alerts from Capital One and be extra vigilant over the coming months for possible phishing emails.”Justin Fier, director for cyber intelligence and analysis, Darktrace“In this instance, we’re seeing the vulnerabilities of the cloud converge with the constant risks of insider threat, only in this case, it was a secondary insider as the threat came from a provider. What will this do to the B2B market if we can’t trust the employees and procedures done by our partners? When you trust your data on someone else’s servers you inherently trust the people that company has hired as if you hired them yourself. We sign contracts for cloud and SaaS without batting an eye because of all the money we will save. But do we ever ask about the data center administrators walking through the rows of computers hosting our data? We inherently trust them. Why? While this attack will undoubtedly have serious ramifications for Capital One and the millions of individuals affected, this may also have impacts on the usage of cloud computing by banks and the financial services industry. Cloud is not going anywhere and this event, in particular, is not going to make everyone dust of our NAS boxes and come back to on-prem, but I think this will wake companies up to evaluating the risks associated with cloud computing. Although the perpetrator has already been caught, that doesn’t mean that the impacts of this data breach have been prevented. Looking at the timeline of when she had access, this information is likely already on the DarkWeb. In the new digital era, data is currency, and when it falls into the wrong hands it can spread like wildfire throughout the criminal community.” Stuart Reed, vice-president, Nominet UK“With 100 million individuals in the U.S. and 6 million in Canada affected by the Capital One security breach, it is significant to financial institutions around the world. Although the amount of information that Capital One has released on the security incident is clear and transparent, it demonstrates the extent of data at risk. Digital transformation and a continual stream of new technologies coming into business infrastructures means that security teams need to be extra vigilant in ensuring systems – both legacy and new – can integrate seamlessly without opening up vulnerabilities. When a hacker has gained a foothold on the network, as in this instance, data theft through a variety of methods can be exploited. Having systems in place on the network to identify anomalous behavior at an early stage can mean the impact of an attack is reduced.”Ilia Kolochenko, founder and chief executive officer, ImmuniWeb“This is just one more colorful, albeit lamentable, example that web applications are the Achilles’ Heel of the modern financial industry. Reportedly, the intrusion had happened in March but was noticed only upon notification in late July. Given Capital One’s [comparatively] immense capacity to invest into cybersecurity and the allegedly trivial nature of the vulnerability, such protracted detection timeline is incomprehensibly huge. Legal ramifications of the breach may be both exorbitant and protracted, including regulatory fines and penalties, individual and class action lawsuits by the victims. Talking about the alleged suspect, one should remember about the presumption of innocence. The person in question could have been tricked to access or download the data without any intent to sell it or use with malice, serving as a smoke-screen to mislead law enforcement agencies. Until all the circumstances of the incident become crystal-clear, it would be premature to blame anyone. Victims should now carefully monitor their credit scores and be extremely cautious about any abnormal activities with their accounts. If the data was stolen and sold, we may expect a wave of sophisticated spear-phishing.” Leigh-Anne Galloway, cybersecurity resilience lead, Positive Technologies“More than anything, this attack demonstrates how much damage a single hacker can do given the opportunity. Through a cloud configuration error, highly sensitive information of more than 100 million people was exposed. Cloud storage is an increasingly attractive option for large corporations because it is cheaper than on premise, but attacks like this show that organizations aren’t adopting security with the same vigor – and they should, otherwise the financial cost of penalties and lawsuits will vastly outweigh any IT savings. Capital One acted quickly and the FBI successfully caught the culprit, but the outcome of this incident could have been dire if even a fraction of that data was exploited. In this case, the hacker was caught so quickly because of her bravado on public chats, which meant she left multiple traces on the internet. It shows that operations security (OPSEC) is still an important tool for companies to mitigate damage after data is leaked, as is the use digital forensics to trace hackers. While it looks like all the appropriate measures have been taken to mitigate the risk of fraud, Capital One customers should continue to be extremely vigilant. Keep an eye on your bank accounts and any other connected accounts such as email addresses and immediately flag any suspicious activity to authorities or Capital One. Even if all the data leaked has been secured and accounted for, opportunistic hackers will still try to make the most of this opportunity through techniques like phishing attacks posing as CapitalOne or authorities. Act with extreme caution and treat any incoming communication with suspicion. If in doubt, go directly to the Capital One website and use contact information there to ensure you are speaking to who you think you are.” Tom DeSot, executive vice-president and chief information officer, Digital Defense, Inc.“The circumstances around the Capital One breach highlights the need for increased scrutiny of hosted security applications. As enterprises and networks become more distributed and network resources – including security applications – are allocated to the cloud, the security applications themselves, whether commercially available or custom designed, must be regularly tested and monitored to ensure they are secure and free of misconfigurations that could be leveraged for exploit.” read more

Columbus Crew outguns Chicago Fire to win first match since March

Columbus Crew midfielder Ethan Finlay dribbles past Chicago Fire goalie Sean Johnson during a game against the Fire May 24 at Crew Stadium in Columbus. The Crew won, 2-0.Credit: Courtesy of Crew Communications / Kirby HinesThe Columbus Crew are back in the win column for the first time in almost two months after a 2-0 home triumph against the Chicago Fire Saturday.Midfielder Ethan Finlay and forward Jairo Arrieta scored first-half goals for the Crew (4-4-4), each converting assists from forward Federico Higuain to top the Fire (2-3-6).In a postgame press conference, Crew coach Gregg Berhalter praised his club’s effort to get its first win since a 94th-minute Justin Meram goal lifted Columbus to three points at the Seattle Sounders March 29.“I think we’ve been frustrated that we’ve been playing well and not getting the results,” Berhalter said. “So from that standpoint, we’re happy. I think it was a good effort, obviously missing some guys (to FIFA World Cup roster call-ups), and the guys who filled in did a great job.”Columbus defender Eric Gehrig anchored the backline by consistently positioning himself at the right moment throughout the game to contest Fire possessions and clear balls.Gehrig showed poise in his first appearance this year, filling the vacancy created by Giancarlo Gonzalez’s stint with the Costa Rican national team.“I felt like (Gehrig) had a fantastic game. We knew that there was a lot of players on this team that could play, and Eric obviously stepped up tonight,” Crew goalkeeper Steve Clark said of his fellow defender after the game.The Crew defense was able to repel Chicago’s attack duo of Juan Luis Anangono and Quincy Amarikwa repeatedly, and while the Fire attempted 15 total shots on goal, Clark only needed four saves to achieve his second clean sheet of 2014.It was the first shutout loss of the year for Chicago.“Chicago hasn’t been shut out yet this season, so I think that speaks for itself. And the guys did it with determination,” Berhalter said. “Guys like Eric Gehrig, Tyson (Wahl), you know, Hector (Jimenez) when he was in there. I mean Chad Barson I thought was excellent as well … Steve Clark also, very secure on crosses, didn’t give up any rebounds.”Finlay provided the offensive spark with his 10th minute tally – his first-ever goal at Crew Stadium. It was his second goal of the season, and second in as many games after scoring as a substitute against the Portland Timbers May 17.The midfielder was voted Man of the Match by Crew fans.“This game isn’t something that comes out of the blue. If we look at what he’s been doing over these last couple weeks, it’s been leading towards a performance like this,” Berhalter said, describing Finlay’s journey of trying to just make the 18-man roster at first to now being a starter. “He was player of the game, for me. He was excellent.”“I kind of fought my way up the depth chart,” Finlay said. “It’s been great. You know, a lot of these guys who were playing in front of me were always pushing me, (and) I was pushing them. And it’s definitely a very good feeling to get a good victory tonight.”A notable omission from the Crew’s starting 11 was defender Michael Parkhurst, who was cut from the U.S. national team Friday as the 23-man World Cup roster was finalized.Parkhurst, who is the club’s captain, was substituted in for Chad Barson in the 87th minute to a standing ovation and chanting of his name.Berhalter said he denied Parkhurst’s request to start, based on his evaluation of what had been a grueling week that included “tough” practices with the national team in Stanford, Calif., and a red-eye flight back home to Columbus on Friday after he was cut.“He wanted to play, but I didn’t think it was worth the risk because of potential injury after all that travel and training,” Berhalter said. “It was good to get him on the field … He’s been through a lot in these last couple days and it’s nice for him to feel that everyone supports him.”Parkhurst – in his first year with the Crew – said it is a tough time for him, but added he was glad to return home to Columbus.“We didn’t know that the cuts were coming that day,” Parkhurst said of being denied the chance to play in Brazil. “It’s nice to be back home … It’s difficult, of course. You know, that was the ultimate dream. But you have to bounce back and be professional and now my sole focus is the Crew.”Columbus is slated to travel to Toronto to take on their Trillium Cup rivals Saturday, where they will have to play without Higuain because of his one-game suspension due to accumulated yellow cards. read more