Answered step by step
Verified Expert Solution
Question
1 Approved Answer
The Payment Card Industry Data Security Standard ( PCI DSS ) requires that a penetration test be performed at least annually or after any changes
The Payment Card Industry Data Security Standard PCI DSS requires that a penetration test be performed at least annually or after any changes are made to segmentation controls. The required scope for these tests includes the entire cardholder data environment CDE perimeter, both external and internal, as well as any critical systems that may impact the security of the CDE. Despite this and many other PCIDSS requirements with which credit cardprocessing organizations must comply, Capital One fell victim to a cyber attack in You have already made the connection between the Capital One attack and cloud security. In this assignment, you will examine the attack from a pen testing lense. By exploiting a misconfiguration in Capital One's AWS Web Application Firewall WAF Paige Thompson allegedly stole personal information belonging to more than million current and potential Capital One customers in the US in addition to personally identifiable information PII belonging to more than six million Canadian customers. Thompson used her own program to scan AWS customer environments to specifically pinpoint the WAF misconfiguration and exploit it to steal privileged account credentials. In addition to stealing customer PII, Thompson used the compromised computer servers at Capital One and various other victim organizations for cryptocurrency mining. Based on the findings of its investigation, the Office of the Comptroller of the Currency OCC found Capital One negligent, citing the organization's failure to establish effective risk assessment processes, and subsequently fined Capital One $ million Pygas For this assignment, devise a plan for an external white box pen test. Ensure that your pen test objectives include an assessment of AWS cloud services and configurations, specifically testing for the same misconfiguration that led to the critical breach suffered by Capital One. Detail unique considerations that must be taken into account when pen testing in AWS. Use the AWS Customer Support Policy on Penetration Testing to ensure your plan is in compliance with the specifications. Resources Everything We Know about the Capital One Hacking Cases So Far B by Lily Hay Newman AWS Customer Support Policy for Penetration Testing E
The Payment Card Industry Data Security Standard PCI DSS requires that a penetration test be performed at least annually or after any changes are made to segmentation controls. The required scope for these tests includes the entire cardholder data environment CDE perimeter, both external and internal, as well as any critical systems that may impact the security of the CDE.
Despite this and many other PCIDSS requirements with which credit cardprocessing organizations must comply, Capital One fell victim to a cyber attack in You have already made the connection between the Capital One attack and cloud security. In this assignment, you will examine the attack from a pen testing lense. By exploiting a misconfiguration in Capital One's AWS Web Application Firewall WAF Paige Thompson allegedly stole personal information belonging to more than million current and potential Capital One customers in the US in addition to personally identifiable information PII belonging to more than six million Canadian customers. Thompson used her own program to scan AWS customer environments to specifically pinpoint the WAF misconfiguration and exploit it to steal privileged account credentials. In addition to stealing customer PII, Thompson used the compromised computer servers at Capital One and various other victim organizations for cryptocurrency mining. Based on the findings of its investigation, the Office of the Comptroller of the Currency OCC found Capital One negligent, citing the organization's failure to establish effective risk assessment processes, and subsequently fined Capital One $ million Pygas For this assignment, devise a plan for an external white box pen test. Ensure that your pen test objectives include an assessment of AWS cloud services and configurations, specifically testing for the same misconfiguration that led to the critical breach suffered by Capital One. Detail unique considerations that must be taken into account when pen testing in AWS. Use the AWS Customer Support Policy on Penetration Testing to ensure your plan is in compliance with the specifications.
Resources
Everything We Know about the Capital One Hacking Cases So Far B by Lily Hay Newman
AWS Customer Support Policy for Penetration Testing E
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access with AI-Powered Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started