The Payment Card Industry Data Security Standard $($PCI DSS$)$ requires that a penetration test be performed at least annually or after any changes are made to segmentation controls. The required scope for these tests includes the entire cardholder data environment $($CDE$)$ perimeter, both external and internal, as well as any critical systems that may impact the security of the CDE.

Despite this and many other PCI$-$DSS requirements with which credit card$-$processing organizations must comply, Capital One fell victim to a cyber attack in $2019.$ You have already made the connection between the Capital One attack and cloud security. In this assignment, you will examine the attack from a pen testing lense. By exploiting a misconfiguration in Capital One's AWS Web Application Firewall $($WAF$),$ Paige Thompson allegedly stole personal information belonging to more than $100$ million current and potential Capital One customers in the US$,$ in addition to personally identifiable information $($PII$)$ belonging to more than six million Canadian customers. Thompson used her own program to scan AWS customer environments to specifically pinpoint the WAF misconfiguration and exploit it to steal privileged account credentials. In addition to stealing customer PII, Thompson used the compromised computer servers at Capital One and various other victim organizations for cryptocurrency mining. Based on the findings of its investigation, the Office of the Comptroller of the Currency $($OCC$)$ found Capital One negligent, citing the organization's failure to establish effective risk assessment processes, and subsequently fined Capital One $$80$ million $($Pygas$,2020).$ For this assignment, devise a plan for an external white box pen test. Ensure that your pen test objectives include an assessment of AWS cloud services and configurations, specifically testing for the same misconfiguration that led to the critical breach suffered by Capital One. Detail unique considerations that must be taken into account when pen testing in AWS. Use the AWS Customer Support Policy on Penetration Testing to ensure your plan is in compliance with the specifications.

Resources

Everything We Know about the Capital One Hacking Cases So Far B$,$ by Lily Hay Newman

AWS Customer Support Policy for Penetration Testing E