A data breach involving AWS S3 Buckets strike again! This time, Capital One joins Facebook as another enterprise to expose the data of over 100 million users.
It would appear that Capital one had a misconfigured Web Application Firewall (WAF) which allowed access to one of their S3 buckets. If there were no systems in between the S3 bucket and the WAF, it might be that design flaw that exasperated the misconfiguration.
Ray Watson, cybersecurity researcher, Masergy:
The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats. She allegedly used web application firewall credentials to obtain privilege escalation. Also, the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.
The good news is, the data breach did not compromise credit card numbers or log-in credentials and unlike most enterprises that have been in similar situations, Capital One’s Incident Response team moved rapidly once alerted to the possible breach.
How was the data stolen?
According to Bloomberg, Capital One Financial Corp. said the data was illegally accessed after prosecutors accused a Seattle woman identified by Amazon.com Inc. as one of its former cloud service employees of breaking into the bank’s server.
The charging papers filed by the prosecutors mentioned the data stolen was from an AWS S3 Bucket. Along with the charging papers, the Seattle woman, using the nickname “Erratic” took to Twitter where she seemed to brag about finding loads of unsecured data on various Amazon instances:
Notable Recent AWS S3 Bucket Leaks:
- Fed Ex
- National Credit Federation
- Australian Broadcasting Corporation
- Dow Jones
How do organizations avoid S3 bucket leaks?
In Capital One’s case, this was a misconfigured firewall that led to the exposure of an Amazon S3 bucket. But similar to S3 bucket configuration, firewalls can only be accessed by users explicitly given access. S3 buckets, however, by default, only grant access to the account owner and the resource creator, so someone has to misconfigure an S3 bucket deliberately to expose the data.
Bloomberg also reported that an AWS spokesman said the stolen data wasn’t accessed through a breach or vulnerability in AWS systems. Amazon has been actively working to help companies avoid breaches caused by misconfiguration. In November 2017 AWS added several new Amazon S3 features to augment data protection and simplify compliance. For example, they made it easier to ensure encryption of all-new objects and to monitor and report on their encryption status. They also have guided approaches to combat this issue, like the use of AWS Config to monitor for and respond to S3 buckets allowing public access.
As a most basic first step to avoiding S3 bucket leaks, take advantage of the native AWS capabilities. Ensure that you are always purposefully using AWS S3 access policies to define who can access the objects stored within. Ensure your team is well trained to never open access to the public, unless necessary, as doing so can result in the exposure of PII and other sensitive data. And help prevent unauthorized access to your data by taking advantage of capabilities like AWS Config.
The challenge is that many organizations, especially those in the financial industry, struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach. For financial service organizations to take full advantage of the opportunities public cloud offers, they must ensure that clear cloud governance standards are defined and that they can present evidence of compliance to assessors and auditors. You can read more here about how to ensure cloud security and compliance in the financial services industry, but this is why an investment in cloud operations is a vital additional step.
Invest in Cloud Operations:
Cloud operations, or CloudOps, is the combination of people, processes, and tools that allow organizations to manage and govern cloud services at scale consistently. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools. One vital tool in your CloudOps toolkit should be software like DivvyCloud, that monitors and remediates cloud misconfigurations, allowing you to achieve continuous security and compliance at scale.
Watch DivvyCloud’s 60 second video to learn how we help customers like GE, 3M, Autodesk, Discovery, and Fannie Mae stay secure and compliant.
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.