Capital One Violation Conviction Exposes Scale of Cloud Access Rights Risk
The recent conviction of a Seattle technician accused of carrying out a cyber attack on Capital One is not the end of the story. The trial showed how someone could perpetrate a massive data breach by exploiting misconfigurations and excessive privileges common in many cloud environments.
As a result of the attack — and the resulting data breach — Capital One was fined $80 million by the federal government and settled customer lawsuits for $190 million. This should encourage organizations to put measures in place to avoid the same mistakes.
The attacker, who was an Amazon Web Services employee, built a tool that allowed him to scan the AWS platform for misconfigured accounts. She used anonymization services such as the Tor network and IPredator VPN to hide her IP address.
The attacker carried out a server-side request forgery (SSRF) attack that allowed him to trick a server into making calls engineered on a misconfigured web application firewall (WAF). This allowed the Capital One attacker to easily extract and exploit credentials from the machine and gain access to sensitive customer data such as names, addresses and social security numbers.
Lateral Movements and Least Privilege
This case illustrates how vulnerable cloud systems are to rights and misconfigurations. The attacker was able to not only exploit a misconfiguration in the WAF to gain access to the system, but also to then gain privileged credentials, move around to discover data buckets, and then exfiltrate that data.
An MIT Sloan case study of the breach concluded that “it is highly likely that Capital One had insufficient identity and access management (IAM) controls for the environment that was breached.” The study also noted that the incident could have been avoided by periodic reviews of user configurations to ensure that access controls were properly using the principle of least privilege.
Least privilege, as the name suggests, dictates that users and service identities can access only the resources and applications they need to do their job and no more. This allows organizations to operate with agility while limiting risk to the business and its customers. In Capital One’s case, the compromised WAF machine’s IAM role had access privileges beyond what was necessary for its functions.
This case is a good example of how easily it is possible to find vulnerabilities and exploit them to open a backdoor into a company, even one that seems well protected. Workloads can be compromised in so many ways that it is impossible to protect them from hacking. Even the best efforts to patch and update software, secure network access, and implement other security best practices can leave gaps that a hacker can exploit.
Once inside, an attacker’s ability to move laterally, undetected, defines the “blast radius” or extent of damage. The best way to mitigate lateral attacks is to control access by scaling the permissions granted to human and machine (service) accounts. In the Capital One case, the hacker was able to use an identity with permissions to access sensitive user records that the role clearly did not need.
The complexity of cloud environments makes it difficult to enforce the policy of least privilege. Native tools do not provide the visibility into permissions required for proactive risk mitigation. Additionally, the much-talked-about lack of cybersecurity talent means that most organizations are understaffed and lack cloud expertise.
As a result, permissions management doesn’t get the attention it deserves. In fact, nearly 60% of CISOs and other security decision makers say that lack of visibility, along with inadequate identity and access management, are major threats to their cloud infrastructure. In a recent IDC survey, respondents cited access risk and infrastructure security among their top cloud security priorities for the next 18 months.
Right-sizing permissions is possible if an organization’s security and development teams can identify excessive permissions and know how to create a least-privilege policy that will allow workloads to operate effectively. This can be accomplished using the right mix of technology, processes and procedures. Consider the following best practices for mastering cloud entitlements and configurations:
Make someone in the organization responsible for implementing a least-privilege architecture.
Establish a regular cadence for reviewing and remediating rights risks in your organization, including access reviews for human users and remediation of unused privileges for services.
Deploy technology that can continuously monitor rights risks, automatically troubleshoot issues, and identify anomalies at cloud scale.
Organizations can learn valuable lessons from this case and the financial consequences of not caring about their cloud Ps&Cs, namely permissions and configurations.