Comprehensive Software Reviews to make better IT decisions
Hacker Compromises Data of 106 Million Capital One Customers
Tech worker Paige A. Thompson has been charged with computer fraud for compromising the data of 106 million Capital One customers.
Thompson took advantage of a firewall misconfiguration to access data stored in a Capital One cloud server.
The cloud provider was confirmed as Amazon Web Services. Thompson was also revealed to be a former Amazon Web Services employee.
Source: SoftwareReviews Amazon Web Services Scorecard, accessed August 14, 2019
In their statement, Capital One said that “this type of vulnerability is not specific to the cloud.” What this means is that the data breach had nothing to do with security vulnerabilities of Amazon Web Services itself. The problem instead lay with a misconfigured firewall internal to Capital One.
Indeed, the relevant takeaway from this story is probably not to do with the security of Amazon Web Services. It is instead to do with why Capital One’s own Cloud Custodian – an open source governance, security, and compliance engine for cloud services – overlooked this firewall misconfiguration.
As always, clients should ensure that data stored anywhere (either in the cloud or otherwise) is protected by secure firewalls. Info-Tech’s security blueprints offer effective strategies to ensure clients can appropriately select and implement firewalls, alongside specific information on cloud security.
Source: Info-Tech Research Group Ensure Cloud Security in IaaS, PaaS, and SaaS Environments
Want to Know More?
Cisco is beginning to lose patience with its Zoom interoperability after another Zoom security risk: access for the Zoom Connector for Cisco hosted on zoom.us did not require authentication, allowing external users to join a Zoom meeting without password credentials.
On October 30, 2019, KnowBe4, a leader in the end-user security training space, was awarded Federal Risk and Authorization Management Program (FedRAMP) approval from the US federal government.
National Cyber Security Alliance Names Habitu8 As Their Official Security Awareness Video Training Partner
For 2019’s National Cybersecurity Awareness Month (NCSAM), the National Cyber Security Alliance (NCSA) has named the security awareness and training vendor Habitu8 its official partner.
Security awareness and training vendor KnowBe4 has added a machine learning module called PhishML to its existing SOAR platform, PhishER.
Trend Micro Partners With NINJIO, InfoSec, GoldPhish, and NextTech Security to Offer Free Training Content
Trend Micro has added training content to its free Phish Insight tool, originally a simple, cloud-based phishing platform. The new training content comes from partnerships with NINJIO, InfoSec, GoldPhish, and NextTech Security.
Prebuilt, Layered Campaign Kits Make Security Awareness and Training a Low-Effort, High-Value Initiative
Infosec now offers campaign kits through its Infosec IQ product: prebuilt campaigns consisting of layered training materials and implementation recommendations. While many vendors are willing to provide guidance on how you should build and deliver your campaign, these kits from Infosec Institute already have that guidance built in.
Avaya’s newly released firmware addresses a vulnerability that has survived for 10 years in VoIP phone models configured with H.323 signaling.
Apple has delivered a silent update to Macs, rectifying a security flaw in its Zoom web-conferencing service.
Cyberattacks are terrible and require the same dedication to overcome them as would any other disaster response effort. Just like natural disasters, cyberattacks cause millions of dollars in damage, disrupt infrastructure, and impede citizens from their daily lives.