alphaspirit - Fotolia

This article is part of our Conference Coverage: A complete guide to AWS re:Invent 2019

What AWS users can learn from the Capital One breach

Don't want to be on the nightly news? Protect sensitive data with cloud security best practices gleaned from what Capital One did wrong -- and what it got right -- during the breach.

The potential for security breaches is an unfortunate reality for cloud-hosted workloads. But despite the frequency of cloud security incidents, the Capital One hack sparked widespread concern in the IT industry.

In July 2019, Capital One reported that a hacker acquired the personal information of more than 106 million of its customers and credit card applicants. The exposed information included social security numbers, credit scores, payment histories and more.

AWS is tied to the Capital One incident for two reasons. First, Capital One is a major AWS customer. Second, the alleged hacker, Paige Thompson, worked at AWS as a systems engineer from 2015 to 2016. Despite these connections, AWS has maintained that it is not to blame for the breach.

"AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application, and not the underlying cloud-based infrastructure," AWS said in a statement following the breach.

The cloud provider's statement clarifying the relationship between Capital One and AWS is a reminder that AWS customers cannot rely solely on the vendor for protection; they need a strong set of cloud security measures of their own.

Take a closer look at how Capital One handled the breach to plan your own cloud security assessment. This analysis of the breach covers the missteps that led to security vulnerabilities and the actions the corporation has taken to recover. Industry analysts weigh in on what other organizations that run on AWS can learn from the incident.

What Capital One did right

Security breaches never cast a favorable light on organizations, especially when information is compromised at the scale of the Capital One hack. But the speed with which Capital One responded has earned the bank some praise.

"Mistakes will be made. It's about how quickly you can recover and respond," said Fernando Montenegro, an information security analyst at 451 Research.

Capital One's response was swift on a number of levels.

The organization initially discovered the breach via a tip sent to Capital One's vulnerability disclosure email inbox. Just 12 days after the email alert, the FBI arrested the alleged hacker. She was later formally charged with wire fraud, as well as computer fraud and abuse. The short timeline between the original report and the FBI arrest suggests that Capital One contacted law enforcement as soon as possible.

Similar to Capital One, organizations should have a breach escalation plan in place so that, in the event of a data leak, time is not wasted deciding the course of action. Set up a plan that details what steps to take and who to contact if a breach is discovered. Consider creating a vulnerability disclosure forum, like Capital One's email inbox, where individuals outside of your organization can report potential threats.

Capital One's team was also quick to determine the source of the hack. They discovered that unauthorized access was obtained through a misconfigured web-application firewall and immediately corrected the misconfiguration. Other organizations on AWS can monitor for misconfigurations within their environments with tools such as AWS Config, CloudTrail and CloudWatch.

In addition to rapid contact with law enforcement and fixing the configuration, Capital One disclosed the details of the incident promptly and thoroughly in a statement on the day of the arrest. The statement exposed the severity of the incident, but it also offered transparency, which could help the bank recover customer trust going forward.

What Capital One did wrong

There were issues within the organization that contributed to the breach. Cloud security experts highlighted two main organizational problems.

First, there was a misconfiguration of a software application that Capital One installed. AWS' shared responsibility model states that customers must secure anything they run in the cloud, which puts the onus of this misconfiguration on Capital One.

Second, Capital One's security team was not aware of unauthorized identities and credentials used to access the AWS Management Console. This lack of awareness allowed the hacker to enter the environment. Organizations that run on AWS should monitor and maintain access control with AWS Identity and Access Management roles and policies.

"You have to know who is accessing the console and what you have in the environment," said Andras Cser, a security analyst at Forrester Research.

Many organizations face issues similar to those of the Capital One and AWS incident because their teams oversee high numbers of workloads.

"People are just too busy and things fall through the cracks," Montenegro said.

Capital One and organizations that want to shore up their defenses against a similar attack need to reassess how security, development and operations teams work together to prioritize data protection.

"For an organization, it is understanding that security responsibility is something that belongs to everybody," Montenegro said. "If you are a cloud developer, security now is your responsibility as well ... the team that is responsible for writing an app is also responsible for running it and is also responsible for securing it."

Stop security shaming

In the aftermath of a breach, we should be mindful when placing blame on the organization or cloud provider, in this case Capital One and AWS, said Fernando Montenegro, security analyst at 451 Research.

Security breaches are a common obstacle of cloud adoption, so being overly critical of organizations that experience a breach is not productive. 

"A problem we have in the security industry is that we often victim shame. Let's be very careful about not doing that here," Montenegro said. "There are opportunities for Capital One to improve some of its security practices … but there was an attacker here and the attacker is to blame. Both teams, Capital One and AWS, are very good at what they do."

Cloud security takeaways from Capital One and AWS' ordeal

The Capital One breach is yet another cautionary tale about the need to bolster cloud security. And while it's impossible to entirely eliminate the chance of a breach, organizations can reduce their exposure with the right overarching practices.

Shift the focus of security from reactive to preventative, Cser said. While Capital One's reaction proves it is important to have a recovery plan in place when incidents occur, organizations should prioritize features and services that minimize the attack surface and decrease the likelihood of a breach. A preventive security approach involves encryption, routine vulnerability checks and uniform configurations deployed via a continuous pipeline and automation practices, Cser explained.

Cloud security also depends on the tools organizations choose. "The cloud makes things even less visible and much more concentrated. So you need to have tools that increase visibility and limit the access," Cser said.

A combination of native AWS and third-party tools is best, Cser advised. Pairing AWS security tools with outside options yields multi-layered security. Architectural choices can also boost security. Update your cloud AWS environment to incorporate newer, baked-in security elements to reduce your security team's workload, Montenegro said.

In addition, security teams can take on an advisory role in which they delegate some security practices to other teams, such as development and operations teams, Montenegro suggested. This collaboration creates a stronger security strategy across the organization.

"The role that security [teams] begins to play is much more an advisory, coaching role rather than an actual player in the field," Montenegro said.

Dig Deeper on AWS infrastructure