Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

The Payment Card Industry Data Security Standard ( PCI DSS ) requires that a penetration test be performed at least annually or after any changes

The Payment Card Industry Data Security Standard (PCI DSS) requires that a penetration test be performed at least annually or after any changes are made to segmentation controls. The required scope for these tests includes the entire cardholder data environment (CDE) perimeter, both external and internal, as well as any critical systems that may impact the security of the CDE.
Despite this and many other PCI-DSS requirements with which credit card-processing organizations must comply, Capital One fell victim to a cyber attack in 2019. You have already made the connection between the Capital One attack and cloud security. In this assignment, you will examine the attack from a pen testing lense. By exploiting a misconfiguration in Capital One's AWS Web Application Firewall (WAF), Paige Thompson allegedly stole personal information belonging to more than 100 million current and potential Capital One customers in the US, in addition to personally identifiable information (PII) belonging to more than six million Canadian customers. Thompson used her own program to scan AWS customer environments to specifically pinpoint the WAF misconfiguration and exploit it to steal privileged account credentials. In addition to stealing customer PII, Thompson used the compromised computer servers at Capital One and various other victim organizations for cryptocurrency mining. Based on the findings of its investigation, the Office of the Comptroller of the Currency (OCC) found Capital One negligent, citing the organization's failure to establish effective risk assessment processes, and subsequently fined Capital One $80 million (Pygas,2020). For this assignment, devise a plan for an external white box pen test. Ensure that your pen test objectives include an assessment of AWS cloud services and configurations, specifically testing for the same misconfiguration that led to the critical breach suffered by Capital One. Detail unique considerations that must be taken into account when pen testing in AWS. Use the AWS Customer Support Policy on Penetration Testing to ensure your plan is in compliance with the specifications.
Resources
Everything We Know about the Capital One Hacking Cases So Far B, by Lily Hay Newman
AWS Customer Support Policy for Penetration Testing E

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image_2

Step: 3

blur-text-image_3

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Database Systems Design Implementation And Management

Authors: Carlos Coronel, Steven Morris

14th Edition

978-0357673034

More Books

Students also viewed these Databases questions

Question

9. Make sure goals are internalized and accepted by the athlete.

Answered: 1 week ago