Capitol One Data Breach

Data Breach

The latest Data Breach is here

Yep, Another Capitol One bites the dust in the most recent of the financial Data Breach. This one is massive. It is estimated that over 100 million Americans and six million Canadian individuals are affected. These data breaches seem to be getting more and more common.

The FBI

has apparently charged a woman with computer fraud and abuse. She is a former employee of AWS. Her resume’ states she was a systems engineer at a cloud computing company. Amazon spokesperson did not reply to a request for comment. It is reported that a misconfigured #Cloud firewall is the attack vector. Sounds kind of fishy to me.

The bulk of the exposed data involves information including addresses, dates of birth and self-reported income. Wall Street Journal

Other information compromised in data breach

The data breach is believed to include credit scores, payment histories and credit limits. Those affected are said to be individuals and businesses that applied for Capitol One credit cards between 2005 and 2019.

Capitol One

Chairman and chief executive, Richard D. Fairbank, expressed his “deep sorrow” for the data breach incident and his commitment to making it right. While this sounds good I am highly skeptical about his concern. I doubt it is more than lip service to quell the ire of those affected and the general public. Sounds like the typical ‘çover your ass’ strategy to me.

The reason I say this is because only 38% of C-suite members said they would work with the security team to solve a security issue. from my article on July 2 2019. You may also want to read Top 5 Excuses For Not Having a Cyber Security Program article I wrote on May 17, 2019. While the article focuses on companies with a smaller budget I wonder how many of the excuses will come into play here.

I understand that one of the CEO’s main responsibility is to ensure profitability of the company. Does that mean protecting the PII of customers from a data breach is secondary at best? I am only speculating here but something just isn’t sitting well with me. If we really dig into the underlying causes of these breaches what will we find? Will we discover security costs were minimized to allow for increased profit margins?

Will Fairbank actually take responsibility? I highly doubt it. I figure he will be allowed to retire with a healthy ‘Golden Parachute’ plan and fade into obscurity. While he may not be directly responsible, it happened on his watch.

What about the safeguards to prevent  a data breach

Safeguards we are taught about in every Cyber Security class or course are taught for a reason. A misconfiguration in a firewall should never get through the cracks, especially for Payment Card providers. I mean aren’t they the ones who publish and enforce the PCI-DSS? A firewall is a first line of defense and should never be a single point of failure. I bet they will try to push some of the blame on Amazon because it was their cloud service where the data was stored.

I realize that cloud solutions are more cost effective and address an availability issue. There is also an inherent risk that the storage hardware is not really under your control. You may be at the mercy of who actually owns it. Even though the servers may be ultimately under AWS control, the decision to rely on AWS cloud was made by Capitol One. I personally don’t see the need to store 14 years of data in an apparently publicly accessible place. Read requirement 3 of PCI-DSS on page 14 in the quick reference guide linked to below.

Data Security

There are safeguards that were not adhered to if it is a firewall misconfiguration that led to the data breach and I will address that in a moment. First though, realize there are 3 states of data. Data at rest, data in motion, and data in use. There are ways to protect the data in all three stages.

What about encryption

This scenario seems to have affected Data at Rest. I only say this because records from 2005 were in the mix and it was being stored. Encryption is supposed to protect data from unauthorized access and use. Hopefully the encryption used was strong and the keys were not compromised.

PCI-SSC Payment Card Industry Security Standards Council

They are the ones who write PCI-DSS(Payment Card Industry – Data Security Standards). PCI-DSS state some pretty stringent rules that must be complied with. The first rule for compliance states that you must Build and Maintain a Secure Network. The first requirement is having firewalls in place and testing whenever changes are made to configurations. Just a bit further along, requirement 3 states that you must PROHIBIT direct public access between the internet and ANY system component in the cardholder data environment.

Well so far we have identified 2 of the first three subsections have been violated. We could even say 3 strikes but they may have complied with the testing when changing firewalls or configurations although it doesn’t look that way.

You can take a look at the PCI-DSS Quick Reference Guide  by clicking on the link or visiting https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
Right on the cover page it makes the following  clear statement
For merchants and entities that store, process or transmit cardholder data

  1. I apologize for the rant but I am getting tired of finding out about these huge data breaches.  In fact I just completed the enrollment for the Equifax settlement credit monitoring service two days ago.

The Human Factor

If you haven’t noticed a large part of cybersecurity is based on the Human Factor. It is by far the weakest link in the chain of securing your IT environment.  If you choose to ignore this fact and neglect to implement a Cyber Security Awareness Plan then you are risking more than you can imagine. But if you decide that a Cyber Security Awareness Plan is the smart choice and the right thing to do you will not only help keep your Business IT secure but your most valuable asset – your employees – will benefit as well.

Educate your employees to be cyber savvy at work and they will enjoy the benefits at home as well. There are a few ways to get started with your Cyber Security Awareness plan.  I feel the most important first step is to let them know why you are doing it and how they will benefit. This way you are being up front with them that Cyber Security is paramount to the operation of business. You are also showing them their personal and family security is important to you. But it will be hollow succor unless you follow through.

When you implement your Cyber Security Awareness training program make sure you:

    • Explain how they can use your tips and techniques at home to keep their loved ones secure online.
    • Share your experiences and encourage them to participate with ideas.
    • Let them know if they make a mistake the best thing they can to is to report it immediately – don’t try to hide or ignore it.
    • Have them vote for a Cyber Security Awareness Champion. (or you can appoint one)
    • Have a plan to ensure your program will be an ongoing part of your company’s culture.

This is not a definitive list of what you will need to do but it is a good starting point.

If you would like some help teaching your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Password Security

We have all heard password security says we should change our passwords regularly. We also should not ‘reuse’ passwords on different sites. This is sound advice but how many people really follow it. The numbers are shocking. Surveys taken consistently show that over 90% of people know they should not reuse passwords between sites but up to 83% still do.

A survey by Cyclonis confirms these numbers stating “an astounding 83.15% of respondents said they use the same password for multiple sites. …a small but shocking amount of users, 2.20%, said they use the same password for every single website.” You can read the full article at Cyclonis. They also have a nifty tool you can use to see how well you may or may not be doing regarding your password strength and reuse habits.

Businesses need to pay special attention to their password policies. According to an article on Security Boulevard almost 50% of people say there is no difference between the passwords they use at home and those they use at work.

Following a few simple rules can keep your personal information secure.

    • Longer passwords are better. Make sure they are over 8 characters minimum
    • Use Numbers, Special characters and Upper and lower case letters.
    • Replace letters with numbers or special characters. i.e. 3 for E, 5 for S, ! for i
    • Change your passwords regularly.

If you need a bit more encouragement think about it this way. First, if you reuse passwords or even just add a letter or number at the end it does not take any time to crack those passwords. You have to remember time is on the bad guys side. They can just sit back and let their computer do the work, even if it takes their password cracker days to crack.

If they get your email password they have access to all of your emails that have not been deleted. So that probably includes links to your bank, school, work, your kids school and other activities as well as possible purchases you have made.

Once they have the right information you are owned! The majority of people discover identity theft within 3 months but up to 15% of people don’t find out for more than 3 years. The cost to fix everything is tremendous. Not only financial burdens that can escalate to the millions and bankruptcy, there is also emotional stress. In addition you can count on missing days from work and possibly even lawsuits. Your credit will likely suffer as well and is something that you will be paying for for several years after you get everything straightened out.

Most of these problems can be solved or avoided by using a Security Awareness Program that includes a Password policy that can be easily implemented.

Safeguard your business with a Security Awareness Program that will help protect your business and show your employees how they can protect their families too. Contact us HERE

You have a payment in process…

Email Phishing Scams

Below is an email that is just phishy..
FYI As usual, I have disabled URL’s

subject: $41,361.35 sitting in our payment queue

Hey there,

You have a payment in process and will be credited to your account soon…

Amount: $15,102.80

VERIFY PAYMENT NOW <http://pt5.abellacarl.trade/btrevc>

If this email was sent to you by mistake, please ignore it.

Good luck,

Alfie Bentley
Snap Cash Support

This is among the type of spam/scam emails which may catch the unsuspecting person by surprise. Regardless of whether or not it brings a person to a site that downloads any malware, it certainly has the potential to get you put onto another mailing list that may not be so benign.

Among the ‘suspicious’ items in this email is that the unsubscribe link is very far down the page that is full of blank space. It also has a supposed “Report Abuse” link that has the same url as the unsubscribe link as shown below.

Unsubscribe
<http://www.lettermelater.com/unsubscribe.php?mid=1111111&email=********.***>  from this newsletter instantly.

Report Abuse
<http://www.lettermelater.com/unsubscribe.php?mid=1111111&email=********.***>

I suggest simply marking this email as junk/spam and if need be block the senders address.

 

Lock it up!

 

Cell Phone Security

Your cell phone is a very powerful device. It has the ability to take high resolution pictures, browse the internet, socialize on Facebook, give you turn by turn directions and even make video calls. You can message your friends and family, play games, read books and the list goes on. They are amazing little devices that we really need to secure better. they often store personal information and even payment and banking logins and passwords.

While you are probably more likely to lose your phone than have it getting hacked there are still simple precautions you should take.

First and foremost Lock the Screen. I know it is kind of inconvenient but it can really save you a lot of headaches and possible financial hardship if it is not locked and someone gets hold of your phone.

Only install apps from trusted sources. For android that would be Google Play, the Apple App Store for iPhones and Amazon App store for your Amazon Tablets. Get the picture? Of course you can also download apps from your cell carrier, they are also probably a safe bet.

Do the Updates. Yeah they are a bother but they really do help keep your phone more secure and running smoothly. As a matter of fact you should enable automatic updating. That way it will update when you are not using the device or you can set it for a specific time and you won’t have to worry if you are missing important patches.

Track It! Download and install an app that will allow you to track your device from a home computer over the internet. If your device is ever lost or stolen you will be able to locate the phone or if need be wipe its contents.

Application Privacy options. I recommend carefully reading the privacy statements when downloading any apps. If you are uncomfortable with the flashlight app having access to your contacts, photos and location search for one that will meet your needs without the access issues. Disable location for all apps and then go back and only allow location to be used for apps that absolutely need it., like Driving directions and phone locator.

TURN OFF LOCATION ACCESS to apps like facebook, twitter and other social media apps. If you are posting that you are on a cross country trip and a nefarious character sees it then you are basically letting them know you are out of town and your home is unattended.

Your mobile device is a very powerful part of your life. Make it as secure as possible and use it with care by following these few simple steps.

Phishing and Pharming

Two types of email scams out there to be watchful for are Phishing and Pharming.

You have likely heard of Phishing but what about Pharming? I will explain both to give you a clear picture of that both are and what you can do to keep from becoming a Pharmed Phish.

Lets start out with Phishing.

Generally a phishing email is designed to get the recipient to take an action. The email is crafted to scare or bait the recipient into clicking a link contained in the email. The link can lead you to a malicious website or even immediately begin downloading a malware package. The links are usually disguised or spoofed to make you think you will be heading to a familiar and safe website.

Pharming can be much the same.

Your email may have been scraped from a website of social media platform. The email is then sent out with the same intent of getting you to click a link or sometimes even opening the email can be enough. The link characteristics are much the same as in phishing – spoofed! The links can also have the same dangerous actions associated with them.

What can you do?

I suggest that you always have a preview pane to that the email does not actually open. This can protect you a little bit. Also set your email program to never automatically download pictures. You can set the trusted email senders individually to automatically show the images.

It is probably a good idea to initially view all emails as plain text and not as html. It is likely a safer way to get your emails and it will also speed up email retrieval.

As you probably got from the above you do not have to actually opt in  to get on someones email list. As is the case with most criminal activity, the phishers and pharmers and scammers do not care about the laws. Your email can be scraped and bought and sold without your consent or knowledge. Legitimate companies do follow the rules and laws and will not randomly scrape emails from the web and try to scam you.

If you receive unsolicited emails it is safer to just mark them as junk and block them than it is to attempt to unsubscribe.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE