Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Google Privacy IT

Another Breach: What Capital One Could Have Learned From Google's 'BeyondCorp' (vortex.com) 119

"Firewalls can be notoriously and fiendishly difficult to configure correctly, and often present a target-rich environment for successful attacks," writes long-time Slashdot reader Lauren Weinstein.

"The thing is, firewall vulnerabilities are not headline news -- they're an old story, and better solutions to providing network security already exist." In particular, Google's "BeyondCorp" approach is something that every enterprise involved in computing should make itself familiar with. Right now! BeyondCorp techniques are how Google protects its own internal networks and systems from attack, with enormous success.

In a nutshell, BeyondCorp is a set of practices that effectively puts "zero trust" in the networks themselves, moving access control and other authentication elements to individual devices and users. This eliminates traditional firewalls (and in nearly all instances, VPNs) because there is no longer any need for such devices or systems that, once breached, give an attacker access to internal goodies.

If Capital One had been following BeyondCorp principles, there'd likely be 100+ million fewer potentially panicky people today.

This discussion has been archived. No new comments can be posted.

Another Breach: What Capital One Could Have Learned From Google's 'BeyondCorp'

Comments Filter:
  • by rsilvergun ( 571051 ) on Saturday August 03, 2019 @02:37PM (#59035114)
    Equifax. There's no penalty for lax security but there is a cost for good security.
    • by Anonymous Coward

      They learned everything they needed from Equifax

      From a repercussions standpoint, sure.

      But from a technical standpoint they are two very different things.
      With Equifax the initial entry point was gained due to an exploit in the software, where Capital One was due to user error and a misconfiguration.

      I hate to point at Google's success at security and say this isn't a cure-all, but the problem with local access controls and such is that you need to trust the software actually works as intended, and an exploit is the software not doing exactly that.

      This appr

    • by gweihir ( 88907 )

      Indeed. Unless and until CEOs personally bleed when they have screwed up this badly nothing is going to change. Yes, securing the IT is ultimately the CEOs job, and nobody else's.

  • Interesting (Score:5, Interesting)

    by 93 Escort Wagon ( 326346 ) on Saturday August 03, 2019 @02:47PM (#59035154)

    There seems to be a fair bit of positive-spin Google stuff on Slashdot lately. Is it just coincidence (since they are obviously a huge ad/tech company with their fingers in a lot of pies), or is Google working on sprucing up its image?

    • They are sprucing up their imagine to counter their already abysmal reputation which was only made worse by their executives talking about fixing the next election.

      Still, on a technical level, their security solution is pretty interesting.

      • Re: (Score:3, Informative)

        which was only made worse by their executives talking about fixing the next election.

        Cool spin, but that's not what they were saying.

        If you read what they actually said instead of what Brietbart and Fox News claims they said, they were discussing ways to counter the overwhelming number of bots (and their dumbfuck human counterparts) spreading fake news and disinformation, which was a major factor in Trump getting elected.

        That, combined with tampering with voter records and other forms of voter suppression paved the way for the election to be thrown.

        Go ahead, mod me down, it won't change the

        • ) spreading fake news and disinformation, which was a major factor in Trump getting elected.

          Was it? As far as I can tell, the single most important thing was when Hillary called a bunch of people "Deplorables" and they and their neighbors took it personally. The northeast seemed to swing towards Trump primarily based on that.

          • Re:Interesting (Score:4, Insightful)

            by kqs ( 1038910 ) on Saturday August 03, 2019 @08:18PM (#59036330)

            Was it? As far as I can tell, the single most important thing was when Hillary called a bunch of people "Deplorables" and they and their neighbors took it personally. The northeast seemed to swing towards Trump primarily based on that.

            So, if I understand: Hillary insulted people once. And people were so horrified by this that they instead voted for the guy who insults people every day on twitter and in speeches.

            Not sure what word I'd use to describe that state of mind. "Moronic", or "hypocritical", or maybe "deplorable"?

            • You need to learn the difference between "insulted people" and "insulted me." If I call you a moron, you won't appreciate it, whereas if I call Trump a moron, you'll agree with me.
              • by kqs ( 1038910 )

                I understand the difference between "insulting me" (awful, untrue, discrimination) and "insulting people not like me" (fine, truthful, scientific). That is a staple of conservative thinking, and is generally known as "hypocritical". I learned it when I was a toddler, though I grew out of it a few years later.

                2000 years ago, a wise man said "If anyone slaps you on the right cheek, turn to them and shoot them many times because you feel threatened".

                • That is a staple of conservative thinking, and is generally known as "hypocritical".

                  ROTFL. You might as well say that conservatives are of the devil and the root of all evil. If you can't think of anything good to say about conservatives, the problem is you.

                  If you can't find anything bad to say about liberals, the problem is you.

                  • by kqs ( 1038910 )

                    Your comment was:

                    Was it? As far as I can tell, the single most important thing was when Hillary called a bunch of people "Deplorables" and they and their neighbors took it personally. The northeast seemed to swing towards Trump primarily based on that.

                    So thus we are talking about conservatives, and how they are fine when Trump insults others and simultaneously micro-aggressed when Hillary said that bigots are deplorable (not all conservatives, just the bigoted ones). She said that once, compared to Trump's constant stream of insults.

                    I have many bad things to say about liberals and good things to say about conservatives, but none that have been apropos to this discussion.

                    And I notice that you switched to ad hominem arguments; out of logi

            • by AmiMoJo ( 196126 )

              Another one just murdered 20 people in Texas, cited Trump in his manifesto. At this point I don't think words like "hypocritical" really apply, it's a whole different level of rhetorical doublethink.

              • Another one just murdered 20 people in Texas, cited Trump in his manifesto. At this point I don't think words like "hypocritical" really apply, it's a whole different level of rhetorical doublethink.

                Yep, another Trumptard goes off the rails and murders a bunch of people. This morning, another one shot and killed 9 people in Dayton. And yet no one seems willing to state the obvious: they're all white, male Trump supporters, born and bred in the US.

                • by AmiMoJo ( 196126 )

                  The doublethink is incredible. To protect Americans from criminal immigrants, he decided to become a mass murdering criminal by killing Americans.

                  • by kqs ( 1038910 )

                    To protect white real Americans from criminal immigrants, he decided to become a hero by killing evil dark-skinned criminals.

                    Fixed that for you.

        • Re:Interesting (Score:4, Informative)

          by DCFusor ( 1763438 ) on Saturday August 03, 2019 @05:20PM (#59035836) Homepage
          Project Veritas. That IS what they're saying. They don't shadow ban bots. https://www.youtube.com/watch?... [youtube.com] There are quite a few other examples of them (for example Jen Gennai) saying "we'll prevent any such situation as Trump in the future. And she mentions people, not bots.
          Bots are a problem, yes. But far from the only one...Speaking of spin.
          • by AmiMoJo ( 196126 )

            Project Veritas has lied so often as so consistently in the past, we absolutely need independent proof now. We can't take their word for it.

            Is there any independent verification of any of this?

            Has Project Veritas made any effort to back up their claims, e.g. by releasing the full and unedited raw video footage?

        • "to counter ... dumbfuck human counterparts spreading fake news"

          There is a well known term for that: silencing political dissent.

          • "to counter ... dumbfuck human counterparts spreading fake news"

            There is a well known term for that: silencing political dissent.

            If you think those two things are the same (or even comparable) you're probably in your mom's basement wearing a MAGA hat and fondling your new gun right now.

    • Watch this [youtube.com] and/or this [youtube.com].

      The media is fed stories by mega corps who are happy to run with them because it's free content. There's a bit of conspiracy going on (the real kind, as in two or more people working together to do bad things) too.
  • by Zero__Kelvin ( 151819 ) on Saturday August 03, 2019 @03:27PM (#59035334) Homepage
    The idea of having a firewall on each computer and none between the LAN and the DMZ isn't just stupid, it would be pure incompetence. The point is that you shouldn't have *just* the one, or *just* the other. It is called defense in depth. You need both and a whole lot more and I highly doubt google misunderstands this in the same way as our resident incompetent blogger Weinstein does.
    • Their point (I don't know about the article) is that you should have services that are only accessible inside of the firewall. Instead, each service is accessible with the correct token from anywhere. Then it is up to the owners of the service who to give access to (or something like that. I only have so much time to devote to reading Google security docs today, sorry).

      This of course sounds like an HTTPS access scheme, and originally they did try to force everything into HTTP, but they quickly realized t
    • by gweihir ( 88907 )

      The other thing is that this is hard to get right. If you do not even manage to get the perimeter firewall right, how on earth are you supposed to get this more complex thing right?

  • When you own the world's most popular search engine[1] you can just hide any news of breaches of your network.

    1. According to their own press.

  • by gweihir ( 88907 ) on Sunday August 04, 2019 @12:00AM (#59036816)

    First, getting firewall configuration right is not actually that hard. A company that does not get there already has low competence in the IT security area. Second, getting BeyondCorp right is actually hard and requires a dedicated highly competent team that adjust and monitors all the time. If you cannot even get firewalls right, you have a snowball's chance in hell of getting BeyondCorp right.

    The problem is that far too many companies are either trying to do IT security on the cheap and/or do not even understand how to do it. Here is a hint: Policies do not make you more secure, but they can make you less secure. Actual security is a technological thing, not a legal one. If you have legal experts flood your companies with policies, you have already lost this fight. What you need to have instead is some actual technology experts in the security field and then you need to do what they tell you to do. And that will mean everything gets more expensive. No more ElCheapo shoddy coding, no more unreviewed software deployed, actual after-deployment and after patching hands-on security evaluations of systems and software, etc. Yes, in addition to being expensive, this requires cultural changes. But nothing less will give you a good level of security.

    • "No more ElCheapo shoddy coding, no more unreviewed software deployed, actual after-deployment and after patching hands-on security evaluations of systems and software, etc."

      That doesn't sound very Agile(tm)...

      • by gweihir ( 88907 )

        Well, I think it can work with Agile. The hardest thing is probably to get hardcore security experts that can code, understand crypto, understand software architecture, etc. and are then part of the ongoing efforts. These person can review code shortly after it is written, can take part in architecture and design, and doing an exposure test and reviews of the planned deployment does not need to delay that deployment much.

        That said, there are not many security experts that can code. Most can not. Even worse,

    • Most companies have separation of responsibilities across different teams, especially when critical things like firewall are concerned.

      This causes two problems:the person configuring the firewall does not really understand or care about what the servers are doing, and it causes signinificant overhead for server owners to perform changes.
      This inevitably leads to laxer configuration than required or incorrect configuration on general.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...