Capital One has been fined $80 Million due to a large data breach that exposed personal information of over 100 million credit card users and applicants. A press release from the Office of the Comptroller of the Currency (OCC) stated that the action was “based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment.” The OCC also cited failure of the bank to establish appropriate design and implementation of network security and data loss prevention controls.
1. Next Generation Firewalls
The attack was not originated by a Russian or Chinese cyber security super agency with sophisticated technology. The hacker was a 33 year old ex-Amazon Web Services employee who took advantage of a misconfigured firewall.
There will always be instances of human error in network deployment. Setting up proper next-gen firewall protection can entail individually configuring firewall rules, application control, TLS inspection, sandboxing, web filtering, antivirus and IPS. Certain firewalls are easier to configure than others. Firewalls with elegant GUIs can help mitigate deployment errors.
According to the OCC, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers. The bank was found to be lax in implementing these best practices.
Implementing Next Generation Firewalls is a critical step to protecting networks and servers. However, continuous monitoring of traffic important to identify normal traffic and identify anomalies that may alert network managers to malicious traffic. While NGFW is an important first step, it is not the only tool networks have to fight attacks.
2. Data Loss Protection
Lack of Data Loss Protection (DLP) was also noted in the complaint against Capital One. In addition to firewalls that are designed to keep malicious traffic out of servers, Data Loss Protection is another level of protection designed to keep confidential information from being downloaded from a server.
Data Loss Prevention tools protect proprietary information from being accessed remotely and ensure compliance with governmental data guidelines such as GDPR, HIPAA and PCI DSS. These tools can enforce access rights for removable devices such as USB drives and establish policies for users to access and download certain data.
Utilizing both NGFW and DLP creates a fortress within a prison. A fortress is designed to keep the enemy out. A prison is designed to keep inmates in. Deploying both NGFW and DLP on a network provides protection from malicious outside traffic as well as blocking and controlling confidential information from being downloaded to unauthorized devices.
3. Visibility Architecture
In addition to NGFW and DLP, there are hundreds of other specialized tools to monitor and protect networks and information. Some of these tools include antivirus scanners, content filtering devices, encryption/decryption tools, proxy servers and spam filters. Of course it is impossible to deploy all these tools on every link. However, it is possible to simply and safely connect and manage these tools using network TAPs and Packet Brokers. These devices provide ports to connect security and monitoring tools to network links. They also provide deployment and management features such as link aggregation, regeneration, load balancing, filtering and port mapping for maximum flexibility and economic utilization of tools.
The average network may use as many as seven or more tools per link for fully compliant and safe network security. Without a Packet Broker such as the SmartNA PortPlus from Network Critical, deployment and management of tools would be prohibitively expensive and error prone. Packet Brokers provide maximum efficiency of network tools by providing only the information that is needed when it is needed. They also provide CAPEX economy by allowing certain tools to manage and protect multiple links.
Of course, there is some CAPEX cost to deploying multiple monitoring and security tools on every link. There is also some OPEX cost to configuring, maintaining and monitoring these tools. Packet Brokers can minimize the costs and maximize the protection.
For Capital One, the cost of a robust security and monitoring architecture pales in comparison to the $80 Million dollars lost due to lax network security management. Don’t be Capital One. Network Critical experts are available to help design a monitoring and security profile that will help your company be safe, secure and compliant. Go to www.networkcritical.com/support for more information.