We use cookies to enhance your experience of our website, save your preferences and provide us with information on how you use our website. For more information please read our Privacy Policy. By using our website without changing your browser settings you consent to our use of cookies.
Sept. 18, 2023 Securing the cloud: lessons to draw from major breaches
10 minutes read
Securing the cloud: lessons to draw from major breaches

Navigating the digital age brings unique opportunities and challenges for modern businesses. One key challenge lies in maintaining data security, especially as we witness an increasing migration of services to the cloud. While historical data breaches might seem to belong to the past, they still offer valuable lessons for the current cybersecurity landscape.

One significant data breach involved Capital One, a major bank in the United States. The data breach occurred in 2019 due to several cloud-related security misconfigurations, leading to unauthorized access to sensitive customer data. The breach was reported to have resulted in severe reputational damage and considerable financial losses exceeding $190 million.

How do cloud security flaws lead to data breaches?

Several security oversights can lead to a significant data breach, including misconfigured firewalls and a lack of adherence to the principle of least privilege. Recently many adversaries have exploited application vulnerabilities such as server-side request forgery (“SSRF”) to gain unauthorized access and steal data from cloud environments. Such vulnerabilities can also exist in third-party applications such as on-premise proxy services and firewall appliances.

Furthermore, cloud security incidents are not limited to specific industries or large corporations; they pose potential risks for all businesses, thereby underscoring the importance of robust security measures. The aforementioned Capital One data breach resulted from several exploits chained in sequence by a perpetrator named Paige A. Thompson. The exploits that led to this specific breach involved:

  1. Server-Side Request Forgery:Thompson exploited a server-side request forgery (“SSRF”) vulnerability in a web application firewall used by Capital One. SSRF is a known attack vector where an attacker can trick a vulnerable application into sending requests on their behalf to internal resources.
  2. API Key Theft: The exact method used to access the backups and other sensitive information was not publicly disclosed. However, it is speculated that Thompson could have tricked the firewall into sending requests to the Amazon Web Services (“AWS”) Elastic Compute Cloud (“EC2”) metadata service (“IMDSv1”). The EC2 metadata service is a feature that allows applications running on an EC2 instance to access information about the instance, such as security credentials using an HTTP GET method, without needing to authenticate.
  3. Lack of Least Privileges: Capital One could have prevented the attacker from accessing sensitive data by limiting the permissions of applications and users to the level necessary to perform their job role. This was the case because the attacker c>ould access the service storing the unencrypted backups because they had obtained credentials for an account with elevated privileges.
  4. Unencrypted Backups: Thompson used the access provided by the SSRF vulnerability to steal Capital One's unencrypted data backups. In general, companies take standard precautions to protect data in transit and monitor data actively used in databases. However, an easy blindspot is the routine backup of datasets. Backups are often stored in a common service, such as Amazon S3, to which applications have privileged access. If sensitive data is accessed without proper authorization, a data breach occurs, so it’s essential also to encrypt the backups to prevent this happening.

These types of incidents can happen to any company, regardless of size or industry. Avoiding these breaches is the reason for having in-depth security, including regular security audits, proper configuration of security systems, and effective incident response plans.

How could this data breach be prevented?

Encrypt backups: The breach could have been mitigated by preventing the exposure of sensitive data by encrypting their backups stored on S3. Using server-side encryption with customer-managed keys can prevent unauthorized access to sensitive data in backups.

Prevent privilege escalation: To prevent privilege escalation, implement measures such as role-based access control and multi-factor authentication (“MFA”) to prevent access to sensitive data within S3. Limiting access to sensitive systems and data makes it more difficult for attackers to gain access, even if they could exploit multiple vulnerabilities in one system.

Prevent SSRF in the WAF: To mitigate the risk of SSRF, implement measures such as validating user input by using an allowlist of specific endpoints and preventing access to the EC2 instance’s local host or metadata service. In addition, if the Web Application Firewall (“WAF”) is from a third-party provider, maintain the most up-to-date version of the service.

Migrate to IDMSv2: To prevent exploitation of IDMSv1 using SSRF, disable IDMSv1 and migrate to IDMSv2, which offers additional security measures such as enhanced access control and metadata encryption.

Regularly review and update security controls: Regularly reviewing and updating current security controls ensures they are up-to-date and effective in preventing breaches. This process could include regular security assessments, penetration testing, and vulnerability scanning.

Implement a comprehensive incident response plan: A comprehensive incident response plan can help minimize the impact of a data breach by quickly identifying and containing the incident, notifying customers, and working with law enforcement. Regular testing and updating the incident response plan will also ensure it effectively responds to a breach.

Conclusion

Past data breaches are potent reminders of the need for robust cybersecurity measures. Moreover, as more businesses transition to the cloud, understanding and implementing a shared-security model becomes more critical.

As a cybersecurity consulting company, we understand the importance of safeguarding your business and customers from potential data breaches. If your business seeks to strengthen its cybersecurity measures, don't hesitate to contact Certus Cybersecurity for a consultation.

References

Information on the Capital One Cyber Incident

Amazon Web Services Official Documentation

About the Author

Kenneth Kasuba is a Senior Security Engineer with Certus Cybersecurity and is an accomplished professional in testing web application and APIs, auditing cloud environments like GCP, Azure, and AWS, conducting in depth code reviews in Python, JavaScript, PHP, Go, C/C++, Java, and C#, threat modeling, Linux administration and possessing in-depth DevSecOps experience encompassing Docker and Kubernetes, Lambda, ECS, EKS, ECR, etc.

Contact Us
Ready to get started? Book a free consultation today, and we’ll write you back within 24 hours. For further inquiries, please submit the form at right. By submitting completed “Book a Free Consultation” form, your personal data will be processed by Certus Cybersecurity. Please read our Privacy Notice for more information.