Scribd
Upload
226 views2 pages

A Case Study of The Capital One Data Breach

Capital One had established a governance model but it lacked the limitations of the NIST cybersecurity framework. This allowed the attack to go undetected in its early stages. The company's incident response plan was immature, as shown by miscommunication between teams during the breach, which delayed detection. There were also issues with overuse of administrative privileges and a lack of focus on least privilege access management controls, which likely contributed to the breach.

Uploaded by

Villa Cerna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
226 views2 pages

A Case Study of The Capital One Data Breach

Capital One had established a governance model but it lacked the limitations of the NIST cybersecurity framework. This allowed the attack to go undetected in its early stages. The company's incident response plan was immature, as shown by miscommunication between teams during the breach, which delayed detection. There were also issues with overuse of administrative privileges and a lack of focus on least privilege access management controls, which likely contributed to the breach.

Uploaded by

Villa Cerna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

A Case Study of the Capital One Data Breach

Other Possible Remediation Approaches


In the instant case, it is shown that the mere presence of compliance controls
being implemented by a particular company such as the subject company, and the
existence of cybersecurity legislation in a particular country are not sufficient to prevent
security breach incidents.

Governance Model Without Alignment To


A Standard Cybersecurity Framework

Foremost, Capital One had established a Governance model but such a model lacks
the limitations set out in the CSF NIST framework as discussed in the case. The
company’s IT security team deliberately failed to detect the attack in its infant stage
even if on its face the said company seems to have gathered the technological
advancements in securing its network systems such as cloud technology, talented
technological engineers as personnel, AWS-supported tools, and environment. While
governance models that are designed to the interpretation of a company’s digital
architecture are in place if they are not further developed to fit a more tested
cybersecurity framework adopted by most of the industry, it proves to be fragile to
cyber-attacks.

Incident Response Plan


Did Not Promote
Company’s Cybersecurity Culture

It is patent that the company has already instituted its Incident Response Plan prior to
the said incident in 2019. However, the actions of its employees during the pendency of
the cyber attack imply immaturity as to its actual behavior during the cyber incident.
There was an obvious miscoordination between the operations team (the first line of
defense) and the technical audit team which catered to the delay in the detection of the
cyber problem. Because the operations team was prone to use technical coding jargon,
it appears that there was no clear communication to address vulnerabilities in the
system if there were any back then. The CISO failed to address this issue. Such action
by the CISO escalated into a toxic culture in the workplace and exacerbated problems
of employee retention.

Use of Administrative Privileges


Such as Identity and Access Management Controls

While there was the implementation of administrative privileges to prevent unauthorized


access to Capital One infrastructure, there seems to be less emphasis on the use of the
principle of least privilege in its identity and access management controls. In simple
terms, employees should be given minimum access or permissions to do their
respective jobs in the workplace.

You might also like