Another Breach: What Capital One Could Have Learned From Google's 'BeyondCorp'

"Firewalls can be notoriously and fiendishly difficult to configure correctly, and often present a target-rich environment for successful attacks," writes long-time Slashdot reader Lauren Weinstein.

"The thing is, firewall vulnerabilities are not headline news -- they're an old story, and better solutions to providing network security already exist." In particular, Google's "BeyondCorp" approach is something that every enterprise involved in computing should make itself familiar with. Right now! BeyondCorp techniques are how Google protects its own internal networks and systems from attack, with enormous success.

In a nutshell, BeyondCorp is a set of practices that effectively puts "zero trust" in the networks themselves, moving access control and other authentication elements to individual devices and users. This eliminates traditional firewalls (and in nearly all instances, VPNs) because there is no longer any need for such devices or systems that, once breached, give an attacker access to internal goodies.

If Capital One had been following BeyondCorp principles, there'd likely be 100+ million fewer potentially panicky people today.

They learned everything they needed from

[rsilvergun]

Equifax. There's no penalty for lax security but there is a cost for good security.

Re:

[Anonymous Coward]

They learned everything they needed from Equifax

From a repercussions standpoint, sure.

But from a technical standpoint they are two very different things.
With Equifax the initial entry point was gained due to an exploit in the software, where Capital One was due to user error and a misconfiguration.

I hate to point at Google's success at security and say this isn't a cure-all, but the problem with local access controls and such is that you need to trust the software actually works as intended, and an exploit is the software not doing exactly that.

This appr

Re:

[gweihir]

Indeed. Unless and until CEOs personally bleed when they have screwed up this badly nothing is going to change. Yes, securing the IT is ultimately the CEOs job, and nobody else's.

Re:

[iserlohn]

Beyond corp is more or less a 2-factor reverse-proxy SSL VPN configured based on the zero trust network model. It's nothing special at all. You could have the same functionality with a Pulse or Citrix Netscaler box.

Interesting

[93 Escort Wagon]

There seems to be a fair bit of positive-spin Google stuff on Slashdot lately. Is it just coincidence (since they are obviously a huge ad/tech company with their fingers in a lot of pies), or is Google working on sprucing up its image?

Re:

[JackieBrown]

They are sprucing up their imagine to counter their already abysmal reputation which was only made worse by their executives talking about fixing the next election.

Still, on a technical level, their security solution is pretty interesting.

Re:

[JustAnotherOldGuy]

which was only made worse by their executives talking about fixing the next election.

Cool spin, but that's not what they were saying.

If you read what they actually said instead of what Brietbart and Fox News claims they said, they were discussing ways to counter the overwhelming number of bots (and their dumbfuck human counterparts) spreading fake news and disinformation, which was a major factor in Trump getting elected.

That, combined with tampering with voter records and other forms of voter suppression paved the way for the election to be thrown.

Go ahead, mod me down, it won't change the

Re:

[omnichad]

The one with the penchant for straw?

Re:

[phantomfive]

) spreading fake news and disinformation, which was a major factor in Trump getting elected.

Was it? As far as I can tell, the single most important thing was when Hillary called a bunch of people "Deplorables" and they and their neighbors took it personally. The northeast seemed to swing towards Trump primarily based on that.

Re:Interesting

[kqs]

Was it? As far as I can tell, the single most important thing was when Hillary called a bunch of people "Deplorables" and they and their neighbors took it personally. The northeast seemed to swing towards Trump primarily based on that.

So, if I understand: Hillary insulted people once. And people were so horrified by this that they instead voted for the guy who insults people every day on twitter and in speeches.

Not sure what word I'd use to describe that state of mind. "Moronic", or "hypocritical", or maybe "deplorable"?

Re: Interesting

[phantomfive]

You need to learn the difference between "insulted people" and "insulted me." If I call you a moron, you won't appreciate it, whereas if I call Trump a moron, you'll agree with me.

Re:

[kqs]

I understand the difference between "insulting me" (awful, untrue, discrimination) and "insulting people not like me" (fine, truthful, scientific). That is a staple of conservative thinking, and is generally known as "hypocritical". I learned it when I was a toddler, though I grew out of it a few years later.

2000 years ago, a wise man said "If anyone slaps you on the right cheek, turn to them and shoot them many times because you feel threatened".

Re:

[phantomfive]

That is a staple of conservative thinking, and is generally known as "hypocritical".

ROTFL. You might as well say that conservatives are of the devil and the root of all evil. If you can't think of anything good to say about conservatives, the problem is you.

If you can't find anything bad to say about liberals, the problem is you.

Re:

[kqs]

Your comment was:

Was it? As far as I can tell, the single most important thing was when Hillary called a bunch of people "Deplorables" and they and their neighbors took it personally. The northeast seemed to swing towards Trump primarily based on that.

So thus we are talking about conservatives, and how they are fine when Trump insults others and simultaneously micro-aggressed when Hillary said that bigots are deplorable (not all conservatives, just the bigoted ones). She said that once, compared to Trump's constant stream of insults.

I have many bad things to say about liberals and good things to say about conservatives, but none that have been apropos to this discussion.

And I notice that you switched to ad hominem arguments; out of logi

Re: Interesting

[phantomfive]

You claimed that it was a trait of conservatives, where it is not. That is on you.

Re:

[AmiMoJo]

Another one just murdered 20 people in Texas, cited Trump in his manifesto. At this point I don't think words like "hypocritical" really apply, it's a whole different level of rhetorical doublethink.

Re:

[JustAnotherOldGuy]

Another one just murdered 20 people in Texas, cited Trump in his manifesto. At this point I don't think words like "hypocritical" really apply, it's a whole different level of rhetorical doublethink.

Yep, another Trumptard goes off the rails and murders a bunch of people. This morning, another one shot and killed 9 people in Dayton. And yet no one seems willing to state the obvious: they're all white, male Trump supporters, born and bred in the US.

Re:

[AmiMoJo]

The doublethink is incredible. To protect Americans from criminal immigrants, he decided to become a mass murdering criminal by killing Americans.

Re:

[kqs]

To protect white real Americans from criminal immigrants, he decided to become a hero by killing evil dark-skinned criminals.

Fixed that for you.

Re:

[JustAnotherOldGuy]

Did you even read it? The "citation" he made was that Trump had nothing to do with his beliefs.

Riiiight. I notice he didn't say not to blame Mickey Mouse or Gandhi or Justin Bieber....only not to blame Trump.

Why mention him at all if there's no connection?

Re:

[fluffernutter]

The dystopian part is that such measures are now required in order to elect someone honest, not the fact that those measures are being introduced.

Re:

[kqs]

You're right. Government transparency is a hallmark of dystopian systems, as is accountability of government officials.

You probably shouldn't use words if you don't know what they mean...

Re: Interesting

[astrofurter]

Whooooosh!

Re:Interesting

[DCFusor]

Project Veritas. That IS what they're saying. They don't shadow ban bots. https://www.youtube.com/watch?... [youtube.com] There are quite a few other examples of them (for example Jen Gennai) saying "we'll prevent any such situation as Trump in the future. And she mentions people, not bots.
Bots are a problem, yes. But far from the only one...Speaking of spin.

Re:

[AmiMoJo]

Project Veritas has lied so often as so consistently in the past, we absolutely need independent proof now. We can't take their word for it.

Is there any independent verification of any of this?

Has Project Veritas made any effort to back up their claims, e.g. by releasing the full and unedited raw video footage?

Re:

[CaptainDork]

And they should respect an admitted pussy-grabber?
Should Melainia Tramp divorce her husband?

Re: Interesting

[astrofurter]

Most people do not mind at all that President Trump is openly straight. He never was "politically correct", so there is no hypocrisy in not holding himself to politically correct standards of speech and behavior.

"Trump: Yeah, that's her. With the gold. I better use some Tic Tacs just in case I start kissing her. You know, I'm automatically attracted to beautiful -- I just start kissing them. It's like a magnet. Just kiss. I don't even wait. And when you're a star, they let you do it. You can do anything.

Bush: Whatever you want.

Trump: Grab 'em by the pussy. You can do anything."

Full transcript: https://www.nytimes.com/2016/1... [nytimes.com]

Re:

[CaptainDork]

Even better: The full tape.

Full tape with lewd Donald Trump remarks (Access Hollywood) [youtube.com]

Re: Interesting

[astrofurter]

"to counter ... dumbfuck human counterparts spreading fake news"

There is a well known term for that: silencing political dissent.

Re:

[JustAnotherOldGuy]

"to counter ... dumbfuck human counterparts spreading fake news"

There is a well known term for that: silencing political dissent.

If you think those two things are the same (or even comparable) you're probably in your mom's basement wearing a MAGA hat and fondling your new gun right now.

Re: Interesting

[astrofurter]

Is that the best you've got, Nazi? Real Americans believe in freedom of speech for everyone. Even when they disagree with what's being said.

It's just press releases

[rsilvergun]

Watch this [youtube.com] and/or this [youtube.com].

The media is fed stories by mega corps who are happy to run with them because it's free content. There's a bit of conspiracy going on (the real kind, as in two or more people working together to do bad things) too.

Re:Ridiculous.

[vux984]

My read on this is actually the opposite; they aren't getting rid of firewalls, they are adding a lot more of them, and they are simply putting them directly in front of the server instead of at the network perimeter.

So instead of authenticating to the intranet, and then from there accessing server / service X & Y & Z. Now, to connect to X, Y, or Z you have to get through the firewall in front of each on of them.

They've changed the terms a bit, and they are using the firewalls a particular way, but its basically just that.

The "advantage" is that there is no 'internal lan' that once you've breached can access everything, and in theory you can put X, Y, Z on the internet directly,... and get rid of the LAN... because you have a firewall directly in front of each of them anyway. so being on the LAN is not 'special'.

Although I have to ask why NOT layer things anyway? Defense in depth is always better.

Re:

[Antique Geekmeister]

> Whether you call them "firewalls" or something else is minutae to me

Whether they are firewalls, VPN's, or managed proxies makes a big difference in the tools used and in debugging issues. Firewalls are very helpful for blocking denial-of-service attacks. VPNs are helpful at protecting intermediate traffic from man-in-the-middle content monitoring. Managed proxies are often very useful for man-in-middle attacks, but also useful for providing user based access control.

The BeyondCorp whitepaper at https:/ [googleapis.com]

Re:

[Antique Geekmeister]

It's not a general VPN. It's only supporting very specific protocols, to very specific endpoints, based on the client's designated access rights. That's quite unusual for VPN software.

Re:

[Anonymous Coward]

Actually, NordVPN does that even in the 2$ a year client. No doubt you could get a better package for more $ but the point is it's not unusual. It's unusual for a company to do everything in-house.

But that's not why Google's security is better than a misconfigured AWS firewall, lol.

Read the Krebs take :

According to a source with direct knowledge of the breach investigation, the problem stemmed in part from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its

Re:

[Antique Geekmeister]

Excuse me, but I didn't say a word about the specifics of the Capital One attack. I commented only on the nature of what Google is using, nor did I say _anything_ about port knocking, nor did I say anything about port knocking being the only solution to _any_ problem. You seem to be responding to some message other than what I wrote.

Re:

[gweihir]

Indeed. But getting these per-machine firewalls right is harder than getting a perimeter right. If you cannot even make the perimeter work, how are you supposed to get this right?

Re:

[vux984]

"But 'firewall', to me at least, implies a bunch of rules with port numbers and so on."

If you the VPN server as part of the firewall infrastructure then it makes more sense. This isn't unreasonble as its built into or runs on pretty much anything with firewall services from SonicWall to Fortigate to Meraki/Cisco to Netgate (pfsense)...

And that gets you into certificates and credentials territory.

Someone needs a security 101 course

[Zero__Kelvin]

The idea of having a firewall on each computer and none between the LAN and the DMZ isn't just stupid, it would be pure incompetence. The point is that you shouldn't have *just* the one, or *just* the other. It is called defense in depth. You need both and a whole lot more and I highly doubt google misunderstands this in the same way as our resident incompetent blogger Weinstein does.

Re:

[phantomfive]

Their point (I don't know about the article) is that you should have services that are only accessible inside of the firewall. Instead, each service is accessible with the correct token from anywhere. Then it is up to the owners of the service who to give access to (or something like that. I only have so much time to devote to reading Google security docs today, sorry).

This of course sounds like an HTTPS access scheme, and originally they did try to force everything into HTTP, but they quickly realized t

Re:

[gweihir]

The other thing is that this is hard to get right. If you do not even manage to get the perimeter firewall right, how on earth are you supposed to get this more complex thing right?

BeyondCorp isn't Google's answer

[scdeimos]

When you own the world's most popular search engine[1] you can just hide any news of breaches of your network.

1. According to their own press.

No chance

[gweihir]

First, getting firewall configuration right is not actually that hard. A company that does not get there already has low competence in the IT security area. Second, getting BeyondCorp right is actually hard and requires a dedicated highly competent team that adjust and monitors all the time. If you cannot even get firewalls right, you have a snowball's chance in hell of getting BeyondCorp right.

The problem is that far too many companies are either trying to do IT security on the cheap and/or do not even understand how to do it. Here is a hint: Policies do not make you more secure, but they can make you less secure. Actual security is a technological thing, not a legal one. If you have legal experts flood your companies with policies, you have already lost this fight. What you need to have instead is some actual technology experts in the security field and then you need to do what they tell you to do. And that will mean everything gets more expensive. No more ElCheapo shoddy coding, no more unreviewed software deployed, actual after-deployment and after patching hands-on security evaluations of systems and software, etc. Yes, in addition to being expensive, this requires cultural changes. But nothing less will give you a good level of security.

Re: No chance

[astrofurter]

"No more ElCheapo shoddy coding, no more unreviewed software deployed, actual after-deployment and after patching hands-on security evaluations of systems and software, etc."

That doesn't sound very Agile(tm)...

Re:

[gweihir]

Well, I think it can work with Agile. The hardest thing is probably to get hardcore security experts that can code, understand crypto, understand software architecture, etc. and are then part of the ongoing efforts. These person can review code shortly after it is written, can take part in architecture and design, and doing an exposure test and reviews of the planned deployment does not need to delay that deployment much.

That said, there are not many security experts that can code. Most can not. Even worse,

Re:

[loufoque]

Most companies have separation of responsibilities across different teams, especially when critical things like firewall are concerned.

This causes two problems:the person configuring the firewall does not really understand or care about what the servers are doing, and it causes signinificant overhead for server owners to perform changes.
This inevitably leads to laxer configuration than required or incorrect configuration on general.