The Lessons We Can Learn from the Capital One Hack

The Capital One data breach is the latest in a long line of hacks where millions of customer accounts were compromised due to loopholes in security. According to that same report, the hackers were able to gain access to Capital One’s systems due to a misconfigured web application firewall. Even though you may not be handling as much customer data as Capital One, it is a good idea to learn about some common ways firewalls are breached and how to secure your app, so nothing like this ever happens to you. 

What Does the Web Application Firewall Do?

The web application firewall (WAF) defends your web app by filtering and monitoring the HTTP traffic from both the web app itself and the internet as a whole. This is what keeps your app safe from threats like SQL injections, cross-site scripting, DDoS and many other attacks. While it is not possible to know exactly what went wrong with Capital One’s situation without investigating the incident itself, here are some of the common security issues:

Potential WAF Issues

First of all, we have to understand that WAFs are based on software, which may have issues of its own that can be abused by hackers. It is very common for WAFs not to open and close properly if the web app is experiencing an unusually heavy amount of traffic. If the WAF does not open, this means that it is reverting back to only monitoring, or perhaps even letting all of the traffic through. If it does not close, then the opposite situation occurs where it does not let any traffic through at all. This is usually done in the form of a DoS or DDoS attack, where the WAF is breached and it prevents access to the entire app. 

Another potential error is a 0-day exploit; this is usually an IT department’s worst nightmare. A 0-day exploit is a vulnerability inside the app itself, of which the application vendor has no idea about. Since such a vulnerability is known to the hacker, they can exploit it for all kinds of purposes, and the vendor will often be way too late with any kind of sufficient defense. If such a loophole in security exists, the WAF will not provide any protection whatsoever. 

The last potential WAF attack that we’ll look into is faking the location from which the request is coming from. This can be done by sending an X-Forwarded-For header. Even if you had a case sensitive validation rule in place, it is still possible to bypass such a rule by sending a custom request with a mixed case.

These are just some of the most common methods used by hackers to penetrate a web application’s firewall, and the list could go on and on. Now, let’s take a look at what you can do to defend yourself against such attacks. 

Conduct a Security Assessment 

The scope of an assessment is very important. You may have to balance your own internal requirements with those of your business partners, but it must be clear to everybody what you plan to test and how you will test them. One of the most common methods is penetration testing. However, it is important to mention that both manual and automated penetration testing will be required. The reason is that automated tools cannot detect every single flaw, therefore, a lot of skill and insight is responsible on behalf of the tester to notice complicated authorization issues and problems in the business logic. 

If you are using a third-party vendor for penetration testing, be sure to ask them about the scope of the test, as well as the methods they intend to use. They should be scanning the app with automated tools to ensure consistent results, followed by manual testing to uncover hidden issues that were not detected in the automated pass. The number of times the tests uncover open-source vulnerabilities that are included in the OWASP top ten can be quite surprising. Also, the testing company should provide you with detailed reports, including attack simulations describing exactly how hackers are likely to exploit a vulnerability. 

In addition to penetration testing, you should test your resistance to DDoS attacks. This is very important, as you need to be able to detect the warning signs of DDoS attacks and take defensive measures immediately. Either you or the testing company will simulate DDoS attacks in a controlled environment. These will include:

Volumetric DDoS attacks – This will be a multi-gigabit location from lots of geographic locations, all over the world. Such a test will determine how you perform against extreme, consistent throughput. 

Application DDoS attacks – This is where the tester will try to overwhelm the web server tier. 

Low resource attacks – Attacks can occur via DNS, SMTP, and NTP reflection attacks. This will determine how where you stand against low resource, unexpected vulnerabilities. 

Bug Bounty Program

Even if you’ve followed all security procedures and you’ve checked the code time and time again, occasionally you will let a bug slip by you. It happens to all of us. One interesting tactic a lot of companies are using is the implementation of bug bounty programs. Basically, this is a form of ethical hacking, aimed at uncovering vulnerabilities before cyber criminals find the loopholes. Furthermore, since new viruses, malware, ransomware, and other malicious software appear daily, you alone may not be up to speed on all of the latest threats. 

Large companies such as Facebook, Mozilla, Google, and Samsung have the resources to manage their own bug bounty programs, which include settling bounties and analyzing the bugs that were uncovered. For small and medium-sized businesses, it would be a good idea to use a bug bounty service provider to manage such programs, as they usually have the resources ready in a turn-key fashion, without needing to do much in the way of setup. 

Don’t Kick the Can Down the Road

It is easy to postpone the security measures mentioned above, but there is no reason to leave yourself vulnerable to cybersecurity risks. While implementing new security procedures and protocols will require a financial investment, it could pay off for you in the end by avoiding losses, fines and damages to your brand. Huge, established companies such as Capital One and Equifax will be able to recover, as they have the resources to do so. More often than not, small and medium-sized brands do not have such a luxury. Secure your business today for a more prosperous tomorrow.