Vulnerabilities, Security Control, Security, Security Awareness
If an amateur hacker could bring down a Fortune 500 company, how can your company hope to avoid the same fate? Take heart - from what we know at this point, it seems that Capital One overlooked some very obvious safeguards and there are a number of lessons to be learned. In fact, almost every breach is like an airplane crash in that each is usually caused by a series of cascading issues, as opposed to one single mistake. Capital One had multiple opportunities to catch the very basic problem with its firewall configuration. Believe it or not, some simplesafeguards could have averted the entire hack. Here are some takeaways that we know from the Capital One breach. You’ll want to be sure you aren’t making any of the same mistakes:
1) Not being proactive - It’s important to point out that neither Capital One nor AWS discovered the very basic problem with the firewall. “Do - gooders” raised the alarm when they saw info on GitHub. These independent people are the ones that blew all the whistles so that this breach was discovered and before it got worse than it already is. This is yet another argument in support of using an external source (like a crowdsourced group or a company that specializes in finding bugs) to find potential weaknesses. For example, from what we’ve heard so far, Capital One’s firewall issue was very basic — far too basic to have escaped detection through any service.
2) Not doing (enough) due diligence - There’s nothing wrong with using a cloud - based service, for instance, Capital One used AWS. But you have to remember that you have less control than you do in - house. It’s often difficult for users of cloud - based services to delineate where your company’s responsibilities fall, as opposed to your vendor’s. An outside assessor who doesn’t work for either company can help find any “gaps.”
3) Not having a good crisis plan in place – We don’t know if Capital One ran through standard tabletop exercises, but we do know that they seemed very unprepared to react to this breach. Instead of addressing the situation head - on, they minimized the situation in a press release, so word spread and anger multiplied via social media. This situation is easily avoided if your company runs through some scenarios via tabletop exercises.
4) Misrepresenting the situation – Capital One released a statement saying that hacker was “very sophisticated.” In fact, she made some very amateur mistakes, so this statement throws Capital One's credibility into question. No sophisticated hacker would have posted their hacks on social media. Capital One also said “No social security numbers were compromised” but further down in the same released clarified that 140k were compromised. While it may be painful to admit mistakes, it actually makes your company seem more credible in the long run (and it’s a great opportunity to show how you’re rectifying the issues).
5) Not protecting their customers – Aside from the actual breach, Capital One’s customers are now vulnerable to con artists who will now try to prey on scared customers to give info via the web or phone in order to “remedy” the situation. Capital One also offered free credit monitoring when, in our opinion, that
gives a false sense of reassurance. If customers are further compromised, Capital One’s reputation will take an even greater hit.
If you have an account with Capital One and you think your data may have been breached, we recommend that you immediately freeze your credit for at least six months. Better yet, leave it frozen all the time except when you’re attempting to apply for a major loan.
If you have further questions, please contact us or call 888-TO-CADRE. We’re happy to discuss any concerns or issues with you.
