With 100 million Capital One customers impacted, it is worth taking a closer look at the 2019 Capital One data breach and web application security. According to CNN, the breach was carried out by a former Amazon Web Services (AWS) employee who exploited a misconfigured web application firewall (WAF) to gain access to customer data.
Web Applications Firewalls
Web applications allow websites to function and add useful features. They are what allows you to log into your Capital One account online to view and manage your accounts, access your medical information on your health providers’ websites, or purchase movie tickets online. Our wired society is dependent upon them.
These web applications are software code running on servers and that code can be exploited by hackers. As vulnerable code is identified, the software development and cybersecurity communities are notified through databases such as that maintained by Mitre that compiles and tracks these Common Vulnerabilities and Exploits (CVE’s). Software patches may be developed but the process is time-consuming and resource-intensive.
The first line of defense is the Web Application Firewall (WAF) which is something like a traffic cop, monitoring and screening the traffic that visits a website. A well-configured state-of-the-art WAF can protect a website from the majority, but not all, CVE’s. However, as WAF security is tightened it results in some desirable traffic being stopped so those controls are often relaxed to favor the ongoing conduct of business because we do not want to prevent patients from accessing their health information or scheduling appointments with their providers and we do not want to lock customers out of their financial data or stop them from buying a movie ticket.
The Capital One Data Breach
Capital One was hacked through the use of a command to extract files held in a Capital One directory stored on AWS servers. This was possible because the WAF was assigned permissions that allowed it to list files maintained by Capital One on the AWS service. This type of attack is known as a “Server Side Request Forgery” (SSRF). A more detailed explanation of the nature of such an attack was written by Evan Johnson along with his thoughts on how to protect against such an attack.
Shielding Vulnerable Web Applications
Vulnerable web applications, like the one that led to the Capital One data breach, can also be protected through the Virtis Vi shielding technology. This is a service that we began offering our clients just this year. Websites are now under constant attack and the hackers have access to the same information about CVE’s that everyone else has and it is frighteningly easy to scan websites for the presence of vulnerable code. Exploiting those vulnerabilities takes little time compared to the time and cost of re-coding the application.
The shielding technology does not “fix” these vulnerabilities but it can protect 100% of known CVE’s providing both the safety to re-write the code under the protection of a shield or serve as a permanent “fix” if re-coding is not a viable option. Let us share more with you. You can Schedule a Demonstration Today.