Not discounting this story, but I’d like to point out that raising concerns is a personal protective strategy for any cyber staff. If you constantly raise concerns that you know cannot or will not be resolved, you have created a paper trail scapegoat for when something goes wrong. The more ambiguous the better: firewall settings not monitored enough, Too much turnover something will fall through cracks, Etc<p>Protecting a large enterprise from cyber attacks is basically impossible, so coping with that stress and protecting your career by looking for other things to blame makes sense to me.
This article is devoid of any meaningful analysis and perspective.<p>>The cybersecurity unit—responsible for ensuring Capital One’s firewalls were properly configured and scanning the internet for evidence of a data breach—has cycled through senior leaders and staffers in recent years, according to the people.<p>Firewall team combined with threat-intel? I'm not sure what that has to do with the breach, or preventing it.<p>>Sometimes the broader tech-centric culture of the firm could complicate security, the people said. Technology employees had at times been given free rein to write in many coding languages—so many that it made it harder for the cybersecurity unit to spot problems, according to people familiar with the matter.<p>Super common, but coding languages aren't generally acknowledged as responsible for the hack. If there was a code level vulnerability that most likely would have been caught by static analysis, but wasn't because their scanning tools didn't support a language, this comment would make more sense.<p>>the alleged hacker found that a computer managing communications between the company’s cloud and the public internet was misconfigured—effectively it had weak security settings, the Journal previously reported.<p>Server Side Request Forgery, coupled with overpermissioning, could be explained this way - misconfigured WAF. A poor description of the what we think may be the actual exploit.<p>It goes on and on.
Managment just does basic risk assessment: pay a few million here or there for a fine doesn't really impact business continuity - so security is not important at all. That's the reality.<p>For profit companies are often quite unethical. Laws that put executives in jail if they do not perform basic due diligence might help, e.g. proof a security program is established and executed on, to ensure their own defined standards and policies are met. There are quite a few CSO/CISOs from breached companies who should not be allowed to continue performing their profession.<p>Startups are often perfectly falling into this bucket unfortunately. As soon as one has more then a certain amount of customers, stakes should become extremely high.
Hiring great people and getting out of their way is only one of three table legs. The other two are listening when they advise you, and empowering them to effect change.
Even if you <i>know</i> that your company is doing nothing to find exposed secrets on the web, can a single engineer just tell their manager, "Hey, you know what? I'm not going to work on this work you assigned me, I'm going to work on this other thing which might be beneficial down the road."<p>Somebody has to groom the "concern" into a story that can be worked on, then assign it to someone. But often this kind of work will get passed over by a manager or team that would rather work on something else, or doesn't see it as important. If you have high turnover, that makes addressing "concerns" all the more difficult, as people aren't around long enough to coordinate working on them.<p>So just "raising concerns" is not going to change anything; somebody at the top has to be listening for them, and somebody in the middle needs to be tracking getting them resolved.
To this day I still receive emails for another person with my name through cap one 360. Some were regarding overdue bills, and with others some personal information was given. I called repeatedly... and nothing was ever done about it. I think they poorly merged account data at one point - perhaps it’s a broader reflection of their IT work.
How about introducing the following law:
If an employee is aware of a breach in their company systems and they use the said breach to enrich themselves - they are protected by law against all prosecution related to the said malicious action.
We made an interactive demo to show how the hacker exploited the vulnerability <a href="https://application.security" rel="nofollow">https://application.security</a>
<a href="https://www.linkedin.com/in/michael-johnson-098437117/" rel="nofollow">https://www.linkedin.com/in/michael-johnson-098437117/</a><p>They hired a bureaucrat, not an engineer, to be their CISO.
I think someone is trying to cover their ass. Think about how this story could have been written: the WSJ reaches out to current and former employees and writes what they say. Those cyber security employees are already feeling the heat and want to preserve their reputation, so they throw someone else under the bus.<p>This was an inside hack by a former AWS employee. It was difficult to protect against. I can't fault Capital One here as much as I can fault AWS.<p>There will always be tension between the Security team and the rest of the company.