capital one
Cybersecurity Editor's Choice Latest News

Capital One Hack – The Industry Reacts

Over 100 million people affected in Capital One’s breach, 147 million in Equifax – two of the biggest in an ever-growing line-up of attacks through web application firewalls that are used to protect consumer-facing apps. Here, Eyal Wachsman, CEO of Cymulate and Will LaSala of OneSpan share their insights…

Eyal Wachsman, CEO of Cymulate, believes the problem lies in the failure to make minor configuration improvements which leads to catastrophic consequences. For Equifax, that cost is now estimated at $1.4B;
“When not configured properly, attackers may be able to perform SQL injections, arbitrary command injections and other attacks such as xss. When successful, these attacks enable threat actors to bypass the WAF reaching the applications back-end server or dumping the database of the application. With Capital One, the misconfiguration enabled the attacker to use three commands to access, list and copy or sync the folders. If configured properly the WAF would have blocked these commands.”
“With Capital One, the misconfiguration enabled the attacker to use three commands to access, list and copy or sync the folders. If configured properly the WAF would have blocked these commands.” – Eyal Wachsman

Will LaSala, Director Security Solutions, Security Evangelist, OneSpan added;

“Systems and network engineers have access to all kinds of personal data in most systems, and it only takes one bad actor to shine light on a huge potential security hole. In most organisations, the people that develop and code the systems have access to underlying controls that can be modified to meet a malicious insider’s nefarious needs.

Having proper DevSecOps, processes and procedures in place will help organisations analyse what is happening and detect the necessary actions to stop bad actors in their tracks, before they can cause huge damage. But processes alone are sometimes not enough, and this is  where technologies that automatically harden backend and client side systems can help organisations face insider attacks head on.”

And in case anyone had forgotten, here’s what Capital One’s CEO, Richard D. Fairbank, had to say by way of contrition;

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened… I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”

To (liberally) paraphrase a line by poet John Clare;

“O words are poor receipts for what hackers hath stole away”

Please follow and like us:
error

Related posts

HR Calling: A Decentralised Professional Passport

thefintechtimes

The Financial Sector Must Embrace Transparency in Artificial Intelligence to Ensure Fairness

The Fintech Times

Why is Divido the Top-rated Point of Sale Retail Finance Company on Trustpilot?

thefintechtimes
error

Enjoy this blog? Please spread the word :)