Capital One’s recent data breach is only the latest in the perennial series of high-profile data breaches that have occurred in the last few years. What do Equifax, Home Depot, Target, and others have in common? Great security programs with high-quality and competent people running them.
These companies experienced data breaches despite putting forth their best efforts and spending millions of dollars every year on information security. If they are still susceptible to breaches, what does that mean for the rest of us?
Fugue.co released a great blog post (here) about possible ways that the Capital One data breach occurred, and this highlights the complexity of just how difficult it is to truly secure the modern enterprise. The longer a company is around, the more difficult it is to understand everything that needs to be protected and where vulnerabilities exist.
This is due to a lack of maintenance on legacy systems, system upgrades, unpatched vulnerabilities, turnover in personnel, not to mention lost tribal knowledge, a lack of discipline, speed-to-market concerns prioritized over security investment, budgetary constraints – the list goes on.
As an aside, to highlight the point that compliance does not ensure security, neither a SOC 2 report, ISO 27001 certification, nor most other compliance frameworks would have addressed the root causes for what brought about Capital One’s data breach – I’m personally sure Capital One is compliant with everything, but a breach still occurred.
So how can we prevent data breaches?
The short answer is that we cannot prevent all data breaches from occurring – there are real adversaries out in the world, and we cannot always account for the ingenious ways they find to discover and exploit vulnerabilities in systems.
However, in helping companies build and maintain quality security programs, we do recommend some basic house-keeping actions that ALL companies should be taking and that can drastically reduce the risk of a data breach occurring.
One of these items that all companies should be doing on a recurring basis is penetration testing. While penetration testing done at Capital One did not prevent their data breach, in many cases, penetration testing is the element of a comprehensive security program that COULD identify the issues that may have led to this particular breach.
For more information on penetration testing, red teaming, and other types of offensive and preventative security engagements, download my colleague Ryan Basden’s white paper here.
As Fugue.co points out, the likely vulnerability that was exploited at Capital One was a misconfiguration in their Amazon Web Services (AWS) environment. How many companies are on AWS today? AWS and other cloud providers are the modern IT infrastructure on which high-growth technology companies are built. How many AWS environments out there are misconfigured? Probably more than we think.
While penetration testing (and vulnerability scanning as an element of that) will definitely not solve all your problems, it is a key component of a robust and ongoing security program and has the potential to identify misconfigurations in your cloud environment.
Are all Penetration Tests Created Equal?
That sub-header is a leading question, and the answer is a definite, ‘No!’ There is much confusion in the penetration test market as to what is considered a penetration test vs. a vulnerability scan and what the threshold and attributes are for each. I will defer to Ryan’s white paper on the nuances, but it suffices to say that any penetration test of a cloud environment should also consider the risk of misconfigurations in the cloud environment.
While vulnerability scanning as an element of a penetration testing engagement may identify some of these misconfigurations, that is absolutely not a substitute for an experienced penetration tester who can actually check for common misconfigurations in the cloud environment and validate that the windows are closed, the doors are locked, and the right people have has the appropriate access to the house.
It is definitely worth understanding what you are getting as part of a penetration test engagement to ensure you are not being sold a vulnerability scan (highly automated) marketed as a penetration test – ensure that your penetration test includes manual testing for common misconfigurations!
Even still, after doing everything right, your environment may still be exposed in a way that is unforeseen and unanticipated. A data breach not only results in bad PR, but also shakes the trust and confidence of clients, partners, and consumers. Everyone wants someone to blame, other than the bad guy, and often it is the well-meaning and dedicated members of the affected company that take the brunt of the backlash.
Security is, and will continue to be, the great challenge of the modern business climate, and effective security requires constant vigilance and a combination of helpful tools and automation, security training, and preventative maintenance, such as penetration testing, carried out by trained security professionals.
As you guys mentioned in the post, there is no one thing you can do to prevent a security breach (including penetration testing). Instead, good security takes a holistic strategy.
One thing you didn’t mention related to: “Why Get a Penetration Test” is as a tool to drive organizational change.
Sometimes a highly targeted, well written penetration test cab help provide the visibility and “fuel” to get executives to conceptualize the importance of security. Penetration tests can turn security from a “what if” to a “this could actually happen”!