So here is what we know about financial services giant JPMorgan Chase being hacked. The facts are that we are very short on facts.
As of this writing, all we really know is that JPMorgan Chase has launched an investigation after its IT folks discovered in the bank’s network some malicious software that was a telltale sign of a cyber attack. The bank has not revealed the severity of the attack. However, stories on Bloomberg News and The New York Times said Russian hackers not only attacked JPMorgan Chase in August but possibly also hit four other U.S. banks in a string of coordinated attacks.
As a result, in a tersely worded statement, FBI spokesman Joshua Campbell said, "We are working with the United States Secret Service to determine the scope of recently reported cyber attacks against several American financial institutions."
As I have mentioned in previous cyber attack stories, when these things happen my inbox get swamped with observations from experts in the security field. I have culled through comments, and feel that several of them are worth sharing even at this early stage of finding out what precisely has happened. Below are some of the ones that resonated. You will see they each have similar, but certainly not identical, observations.
Richard Blech, president of Secure Channels Inc. (www.securechannels.com):
“Banks are one of the most vulnerable and quite possibly the most sought-after targets for hackers worldwide. JP Morgan getting hacked is just another in the epidemic of security breaches that are occurring on an almost daily basis. Most risk analysts preach that securing the perimeter or endpoint is the most secure way to prevent breaches, but the hackers are winning handily against that lone barrier. Part of that reason is the fact that the most serious breaches come from within and not outside the perimeter. The reality is that there is almost no way to prevent the intrusion and to avoid your data getting stolen. The answer is to secure your data with the highest level of encryption possible and render said stolen data completely useless to the thief. With unhackable encryption wrapped around your data, the hacker is left with a bunch of useless bits and bytes.”
Scott Goldman, CEO of TextPower (www.textpower.com):
"Hackers, whether they're from Russia or Rochester, will always steal passwords. It's a fact of life that the companies that store them and the users who use them can no longer avoid. There's a simple, clear solution to this problem that will soon become the norm: don't use passwords. Other forms of authentication are available and should be employed by any company with data that's worth stealing -- and that's every company. Security strategies almost always ignore the obvious; there are perimeter protections, router protections, alerts, alarms and red lights everywhere but the simplest protection for users -- who are the lifeblood of these enterprises -- can be easily accomplished by using one of the new updated forms of authentication. Any company not upgrading their systems to these additional, secure authentication steps into the user login process is doing a disservice to their customers."
Philip Lieberman, President of Lieberman Software (www.liebsoft.com):
“The ability to overcome the typical financial defense-in-depth strategy outlined by JPMorgan points to capabilities that go beyond criminal activity and are in the realm of nation-state capabilities. JPMorgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and process to shield themselves from nation-state’s ability to access their systems at will. The lesson to be learned is that the financial services sector needs to up its cyber security game to move up from commercial security to military level security. Most banks are focused on obtaining passing grades from internal and government cyber security auditors, but fail to place enough emphasis on the real and constant threats from the outside.
“The takeaway message is that most of the financial services sector has little to no protection from nation-state attacks and is not willing to spend the money to protect themselves, nor do they have senior leadership capable of redesigning their organizations for secure operation against nation-states. The USA financial sector has much better security than other areas of the world by far, but without significant rethinking and redesign, it will struggle to survive against nation-states. The existing security standards and best practices are not designed to help companies defend themselves against nation-states. That is not say that companies are not operating at a level capable of defending themselves against nation-states, only that the official best practices and standards provide little guidance or requirements that would lead to a company surviving an attack.”
Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies (www.stealthbits.com):
“It’s not so surprising that corporations that are financially larger than most states are targets of state-sponsored hacking. The question I ask is, how long before corporations are calling on government or military resources to help shield them from this sort of attack? I doubt the government or even the military could do more than these banks given how much the banks spend in time and effort on security. But either out of a genuine sense of entitlement to protection or an attempt to spread blame, I would think we’ll see corporations making calls for better protection. It could even augment the net neutrality debates – ‘shouldn’t there be specially protected resources on the net?’ becomes a question one could ask.”
Sharon Vardi, CMO, Securonix (www.securonix.com):
“At JPMorgan Chase it looks like the attackers took advantage of a vulnerability in one of the customer facing apps that the bank uses to provide service to its customers. This type of sophisticated attack would appear to the security team like valid transactions done by banking customers walking in the virtual front door of the bank to consume banking services. As has been true for most sophisticated attacks we have been seeing against American corporations lately, these attackers are very well funded and have the means to carry out their attacks mostly undetected until after the damage is done. The sophisticated attackers will make it past the firewall and into a company’s data, take on what would seem like a valid user identity and execute their attack posing as valid users. The big question is how do you detect them once they are in, having taken on a valid identity or multiple identities that they use to carry out the attacks before significant damage is done? The way to ensure that these types of attacks are foiled early on is to leverage behavioral profiling technology that knows what normal behavior is and looks for anomalies. For instance, if a banking customer normally performs a certain number of transactions per month and is suddenly performing multiple transactions in a single day then that should be flagged and investigated in real time to make sure that the account has not been hijacked or compromised.
The attackers have the advantage in that they get to choose who to attack, what resources to go after, how and when. Companies are using static defenses against these attacks and can’t predict where the next attack will come from and what the attackers will try to go after.“
Tsion Gonen, chief strategy officer, SafeNet (www.safenet-inc.com):
“The question to ask is how much of the data was encrypted given it was sensitive financial information. What we have seen again and again with these types of attacks against banks is that breach prevention and threat monitoring alone will not keep the cyber criminals out. Companies need to focus on a defense-in-depth strategy and securing the breach, and that means using data encryption as the last line of defense. That is only way to make the data useless to hackers and cyber criminals.” – Tsion Gonen, chief strategy officer, SafeNet.
Philip Casesa, Director of IT/Service Operations at (ISC)2 (www.isc2.org ):
"Corporations are quietly (or in some cases not so quietly) engaged in asymmetric warfare with nation-states. Prior to the NSA revelations, we were led to believe that it was all China, Russia, and Iran attacking the United States unprovoked. Since we now understand that isn't true, we come to the realization that cyber attacks are now a weapon for all or most governments, and wielded for political reasons to inflict damage on economies and intellectual property. Whether this particular attack on JP Morgan Chase is government sponsored or not, the reality is that businesses and citizens will ultimately pay the price of cyber war amongst feuding governments. This just adds to the threat landscape that organizations face with hacktivists, financially-motivated hackers, and now governments engaging in posturing, spying, or influence of economic events. Certainly in the short term, spiraling costs for security, forensic investigations, and incident response will continue to be a drag on the economy and long-term business sustainability. Nation-state cyber war, much like kinetic war, eventually hurts everyone. While the destruction cyber attacks leave isn't physical, that doesn't mean it isn't real."
I save Casesa’s comments for last, mainly because of whether the trail reveals this was the work of state-sponsored hackers from Russia. Indeed, they have been cited by many as the source of these attacks because Russian hackers have been some of the most highly active and sophisticated ones for several years, and because of the pressure the international community has placed on Russia as a result of the ongoing crises in the Ukraine.
All of the experts who I heard from emphasized that no system, even those of financial institutions who have arguably the most advanced security capabilities in the commercial world for obvious reasons, is fail safe. Unfortunately, that is not a thought that provides peace of mind.
What will be interesting to the security community as the investigations move forward is who did this, how and what is the extent of the damage done; just as important will be lessons learned. This means looking at what defenses were in place, how long did this take to discover, what remediation steps were taken, and what additional steps can/should be taken going forward. No defense may be perfect, but the fact that this has happened to a major financial institution or institutions is going to be a wake-up call that goes well beyond the sector and is likely to be a subject of policy-maker concern.
On the latter, if this does not get politicians and regulators to re-evaluate our total national cyber security posture which goes beyond protecting government resources and things like the national electric grid, it is hard to imagine what it will take.
Edited by Rory J. Thompson