This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Responding to the Capital One security breach?

According to KrebsOnSecurity.com (8/2/2019 blog post), the massive Capital One security breach started with a misconfigured WAF site running ModSecurity, which was running on Amazon Web Services.   My summary of his report:

  • An AWS employee exploited the WAF misconfiguration to get application-identity credentials assigned to the WAF site or its server.
  • The application-identity credentials were used to query the Amazon metadata information.
  • The application-identity account was overconfigured, so it gave her keys to the kingdom instead of limiting her to the data the application need to reference.
  • She took full advantage of the keys.

Since our WAF log files make it painfully obvious that UTM uses ModSecurity under the covers, I have been hoping someone (Sophos) could provide some information to assure us that a similar compromise is not feasible in the appliance environment, as well as guidance to ensure that it is not accidentally possible in the cloud environment.   Maybe its too soon to tell since details are hard to come obtain in a situation like this, bu tI can hope.

(For AWS users, the KrebsOnSecurity article refers to some Amazon utilities that can help check for configuration best practices.)



This thread was automatically locked due to age.