The fact that there are daily, targeted cyber-attacks on financial institutions should come as no surprise, but the revelation that JPMorgan Chase (and at least four other unnamed banks) have had their walls breached by a group of Russian hackers points out the ongoing complexity—and some would say futility—in maintaining adequate multi-layered defenses as those attacks get smarter and better-funded.
The FBI is working with JPMC to uncover the extent of the damage, but the attacks are said to have been carried out by Eastern European criminals. Whether this was done for profit or for espionage purposes is not yet clear; though the FBI has called the skill associated with the attack “far beyond the capability of ordinary criminal hackers,” leading many to conclude that the action was state-sponsored.
The attack vector is muddy as well. Various sources have told media that it was either initiated by a zero-day exploit, or via the exploitation of an unsecured employee using a VPN to gain access to a secured network.
“There’s certainly a possibility this was all executed through spear-phishing campaigns for unpatched vulnerabilities that commonly impact the security of web browsers, office suites and other client-facing software,” said Mark Stanislav, security evangelist at Duo Security, told Infosecurity. “While it seems hard to believe, large organizations can be breached through something as simple as a well targeted e-mail to steal credentials or otherwise impact operational security.”
So far though, the situation is long on optics and short on specifics, for the moment at least.
In any event, the main point is that the banking giant did confirm that personal information has been compromised, and that despite its best efforts to thwart almost-daily attacks, the defenses simply didn’t hold.
The takeaway? Greg Kazmierczak, CTO at Wave Systems, summed it up: “There is no such thing as fool-proof security; especially when the attacker is a well-funded, highly-skilled and highly motivated.” In other words, without significant change in strategy, ultimate resistance to high-level attacks is, well, futile.
JPMC CEO Jamie Dimon said in the firm's 2013 annual report that the bank will spend more than $250 million and devote about 1,000 people specifically to cybersecurity this year, including the building of three regional state-of-the-art cybersecurity operations centers. So, the company can’t be accused of not investing in consumer safety. But clearly, incidents are increasingly inevitable, as Dimon himself pointed out.
"We're making good progress on these and other efforts, but cyber-attacks are growing every day in strength and velocity across the globe," Dimon said in the report. "It is going to be a continual and likely never-ending battle to stay ahead of it — and, unfortunately, not every battle will be won. Rest assured that we will stay vigilant and do what we need to do to enhance our defenses and protect our company."
Eric Chiu, president and co-founder of HyTrust, said in an email that the ramifications of this are “scary.”
“The potential breach at JPMC is scary given that it is one of the largest banks with highest levels of security,” he explained. “Breaches are happening almost daily with recent headlines at Community Health, eBay, Target, Michael's Stores and many others. This highlights the fact that outside attackers are sophisticated and well -funded, and that every organization is a target for breach. It’s also is a wake-up call that companies need to make security a priority in order to protect their most sensitive data. In addition, companies really need to think about an 'inside-out' model of security and assume the bad guys are already on the network.”
That’s a sentiment echoed by other security experts.
“This particular hack isn’t so much about banks not having the right security in place – JPMorgan has multiple layers of defense to counteract threats and constantly monitor fraud levels,” George Anderson, director of product marketing at internet security firm Webroot, explained in a note. “Instead, this highlights the speed, level of intelligence and the modern, more ‘hidden’ nature of cybercrime. Five years ago, these hackers would have wanted to go in with a bang. They would likely have hacked the system, stolen maximum data, damaged systems and so on. This was different – it was a quick strike designed to go as unnoticed as possible, which caught even major banks off-guard.”
So what’s to be done? A shift in strategy, for one, to an almost a Cold War-esque cat-and-mouse vigilance.
“As attackers get ever more sophisticated, defenders need to ‘war-game’ continuously just to make sure their complex infrastructure hasn’t opened up a new hole,” said Mike Lloyd, CTO at RedSeal Networks. “The next stage in the arms race, for both attackers and defenders, is automation – not just searching for gaps, but figuring out the consequences of those gaps, in much the same way that generals study a battlefield before the battle starts.”
Profiling is a critical yet so far missing piece in defensive measures as well—and in real-time, which requires an architectural shift, some say. “The only way we are really going to beat cybercrime is by understanding why hackers are targeting certain organizations, what their aim is and how they are getting in,” said Anderson. “It’s that kind of holistic view of cybercrime that’s needed, which is why cloud-based security is so vital. A cloud-based system which is constantly monitoring, analyzing and sharing information on cyber-attacks in real-time is a vital cog in the delivery of actionable information to improve any cyber-defense machine.”
In practice, profiling is fairly straightforward: it’s done by dynamically analyzing what normal behavior is and then looking for anomalies, Sharon Vardi, CMO at Securonix, told Infosecurity. “For instance, if a banking customer normally performs a certain number of transactions per month and is suddenly performing multiple transactions in a single day then that should be flagged and investigated in real-time to make sure that the account has not been hijacked or compromised,” she explained. “The attackers have the advantage in that they get to choose who to attack, what resources to go after, how and when. Companies are using static defenses against these attacks and can’t predict where the next attack will come from and what the attackers will try to go after.”
But that’s the problem: most financial-sector cyber-investment is in static, and well-worn, well-understood defenses.
“The ability to overcome the typical financial defense-in-depth strategy outlined by JPMorgan points to capabilities that go beyond criminal activity and are in the realm of nation state capabilities,” said Philip Lieberman, president of Lieberman Software, in an email. “JPMorgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and process to shield themselves from nation state’s ability to access their systems at will. The lesson to be learned is that the financial services sector needs to up its cyber security game to move up from commercial security to military level security. Most banks are focused on obtaining passing grades from internal and government cyber security auditors, but fail to place enough emphasis on the real and constant threats from the outside.”
As for the fallout from the breach, it remains to be seen how bad it will be. “The question to ask is how much of the data was encrypted given it was sensitive financial information,” said Tsion Gonen, chief strategy officer at SafeNet, in an email. “What we have seen again and again with these types of attacks against banks is that breach prevention and threat monitoring alone will not keep the cyber-criminals out. Companies need to focus on a defense-in-depth strategy and securing the breach, and that means using data encryption as the last line of defense. That is only way to make the data useless to hackers and cybercriminals.”