Another day, another breach. Just this past Monday, Capital One Financial Corporation announced a breach from an outside individual concerning the personal data of over 100 million people in the United States and another 6 million in Canada.
The good news is that Capital One was able to very quickly fix the configuration problem once it was discovered, and the FBI has made an arrest of the person they believe to be responsible.
The bad news is how the hack occurred. A Wired.com article states the hacker “… allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March.” The actual compromise occurred in March of 2019 and according to the same article, Capital One started investigating the breach when an anonymous tip about possible data loss was sent to them on July 17. The breach was confirmed on July 19 and the FBI contacted.
And the impact of all this? According to the same announcement, Capital One estimates it will cost them between $100 and $150 million in 2019 alone.
This incident got me thinking though about how much Capital One was really at risk, once someone was able to get past the firewall — and how this dilemma is also a reality for many other organizations. A lot of time, energy and effort is spent on building and maintaining a strong firewall — a perimeter if you will — but after that, how much time, energy and effort is available for securing what is inside it? Now don’t get me wrong, Web Application Firewalls, or WAFs, are a great tool, but they are really only as good as the policies that are configured for them. In cybersecurity today, you simply cannot rely on protecting the perimeter of an application and assume that everything inside the app is safe from attack. You must protect inside the perimeter too. For more about why this is so important check out this recent blog.
This latest incident, and others, underscore the need for a comprehensive application security program as part of your cybersecurity strategy, and why having one is so beneficial. What if the Capital One applications affected after the break through of the firewall were able to detect and deal with abnormal behavior like large data download attempts to external locations? Or what if those applications had been able to detect the firewall misconfiguration and alert administrators, or even better, reconfigure the firewall to a proper state?
The message is simple: if you are a developer of applications, take time to assess your current application security posture. Do you scan on a consistent basis? If yes, what kinds of scans are you doing? If no, then that would be a great starting point. What kinds of approaches are used to search for potential problems? How are issues resolved? Are production applications proactively scanned to ensure they are not vulnerable to newly discovered vulnerabilities? Are you able to take advantage of cognitive capabilities, AI and machine learning practices to aid in remediation? Finally, can you quantify what your actual application risk score is?
The increase in application security you add today might be the robust protection that makes the difference tomorrow if/when your firewall is breached. For more information on getting started with application security, visit our site or feel free to comment below.
Rob Cuddy, Global Application Security Evangelist for AppScan, HCL Technologies Photo shown with permission, courtesy Steven Depolo via Flickr, Creative Common License — https://www.flickr.com/photos/stevendepolo/24718203241
Originally published at https://medium.com on August 1, 2019.
