July of 2019 must have been a stressful month for Capital One’s IT team. During this fateful month an employee of the respected bank uncovered the massive ongoing theft of customer data, and though the exploit was a simple fix, damage to Capital One had been extensive. A misconfigured setting in its cloud was quietly exploited from 2005 to 2019 by one sneaky hacker, and the firm overnight found itself dealing with leaked financial data of over 100 million American and Canadian customers, up for sale to dark web buyers.
From a security perspective, the Capital One breach is a telling example of the power that companies have over our data, and their responsibility to remain compliant. It’s also reminiscent of 2019, when cloud misconfiguration breaches rose by 80%. A single configuration mishap – most likely no more than an employee forgetting to toggle an option in their cloud app or tweak an easy-to-miss setting – compromised millions of people across the continent for well over a decade.
Another serious thought about Capital One’s breach is how relevant the tale still is for companies. In a press release about the incident, the bank shed light on how simple, common, and generally unremarkable attacks of this nature could be. Though this was likely to play down the idea that Capital One was unique in its weakness (and it isn’t), it also inadvertently sent up one of the first flares to an industry that is only now beginning to understand the devastation capable by cloud misconfiguration mistakes.
Misconfiguration: When the Vulnerability is You
After a year rampant with enterprise data breaches due to unsecured clouds, the industry’s bellwether – the Cloud Security Alliance – finally named Misconfiguration and Inadequate Change Control as 2021’s most dangerous IT threat. Misconfiguration happens when resources and computing assets are set up wrong or not at all, which sometimes creates gaps where hackers can get in and steal or inject data. In other words, the biggest authority on cloud security just admitted that human error is our biggest enemy.
Error in cloud resource management is quickly becoming a top priority for IT decision makers, with recent data showing that 62% of them see misconfiguration as their firm’s biggest compliance risk. This is hardly surprising, because many of these IT professionals likely don’t know if their configurations are airtight. A parallel survey of the industry illustrated that a worrisome majority of enterprise IT managers are unable to identify if misconfiguration or excessive access to cloud resources is occurring in their networks. This hits at the heart of the issue: The business world’s recent move to the cloud, and to remote work, has obstructed network visibility to the point of opacity.
The acceleration of remote work thanks to COVID-19 puts a strain on computing resources and networks worldwide, and IT teams are still trying to catch up. An overwhelmed IT department, concentrating on spinning up new resources, providing access to onboarded users, and orchestrating a stack of security tools has little time to spare for configuration. But they must, and thankfully, doing so is easier than it once was.
A Quick Win for Configuration
One of the most common misconfiguration mistakes is simply to leave a piece of unencrypted data exposed to the internet. A hacker will typically stumble across it and realize that somewhere, the person responsible forgot to set up an authentication or authorization protocol required for access. From there, hackers have surprising lateral movement within the network, as chances are there is other information exposed in this way.
Configuration mishaps occur on an app-by-app basis, and will be unique to the company trying to solve them, because no two companies have the same hardware and software or business flows. For an average environment, for example, during a configuration audit IT may discover:
- Network segments without dedicated access rules
- Access permissions without assigned IdP roles
- Misconfigured security ports for inbound and outbound
- Multi-factor authentication is not enabled for a sensitive asset
- SIEM encryption is untoggled
These would all have the potential to open a wide avenue into the network for hackers, and they also vary by application. For any company, a way to stay on top of all these configurations is to intimately understand the stack and to work within each product so that they are secure, and to repeat this process for each user and resource – which is not preferable. A better way is to layer a solution on top of your corporate resources in order to gain central visibility and control. If IT is given a single dashboard where they can manage access and traffic across resources, they will be equipped to react more quickly than Capital One did.
Because misconfigurations are the “silent killer” of the remote work era, it’s crucial to be on high alert for any sign of them. Common misconfiguration errors happening in cloud resources often expand and advance the attacker workflow in real-time, so real-time threat monitoring is vital given the scale and breadth of cloud solutions. Equally important is the ability for a security product to integrate across on-prem and the cloud, so hybrid-cloud models can enjoy the same level of network omniscience. With cloud-friendly network security, companies can easily filter out the noise, gain instant control, and encourage rapid response when risks are detected.
Adoption of the cloud and reliance on applications rather than on-premises solutions is a healthy trend for companies, but too many of them neglect the Shared Responsibility Model for security when this is the case. Companies that want to take advantage of the cloud must do security due diligence on their end and take ownership of ideas that only they can control: things like user access, encryption, monitoring, configuration, and education. If they can manage this, cloud migrations can be done confidently and with continuity in mind.