Not just JP Morgan Chase, but at least four other banks were struck by hackers in a series of well-planned and coordinated attacks recently. This was according to the people briefed on an ongoing investigation into the perpetrated crimes. The hackers not just infiltrated the networks of the banks but also successfully siphoned off with Gigabytes of data, including the savings and checking account information.
Normally, when we analyze any hack attack or hack attempt, the first question which pops into our mind, is how was it carried out? However, many of the organizations are not forthcoming into specifying the exact method as to how their IT security was breached and how their costly security appliances were caught napping.
The same is true in this case also, nothing much has been divulged. All we know that along with JP Morgan Chase, at least four others were breached. It is possible to understand that one bank was breached but more than four? This count itself is enough to summarize that there is some other entity involved, a common entity which has access to all these banks. In the past too, we have seen the involvement of a third party which has led to the downfall, and we are pretty much sure that in this case too, the scenario should not be much different.
Most of the big organizations may have the best of the security appliances and an ensemble of security experts working at their behest. However, when it comes to extending their security cover to the very entities to whom these organizations have outsourced much of their sensitive data-related tasks, there seems to be a gray area. It is this very gray area which hackers have been attacking with quite a huge success rate.
Is it the lack of finances or plain simple ignorance? In order to save a few millions of dollars and a few HR related headaches, organizations prefer to outsource numerous tasks, which in reality is a huge business. On the other hand, when we look at the cons, one data breach will simply wipe out the entire organization or will at the least wipe out the profits accrued through outsourcing.
There have been numerous instances when the third party itself exhibited a lackadaisical attitude when it comes to incorporating security, security advisories or an apt attitude towards following of security norms.
Outsourcing provides great opportunities. However, all the concerned parties have to understand the fact that security is as strong as the weakest link.
Whenever a third party has been attacked, it has always been due to spear phishing, malware/Trojan or a web-based vulnerability. However, from the perspective of IDS/IPS, when we take a closer look into the method of attack, all the perceived form of attacks are supposed to trigger an alarm unless and until either they have been shutdown or a Zero-day has been used.
It is highly unlikely that a Zero-day has been used in this attack due to the sheer fact that more than one bank was breached and the possibility of all banking networks having the same vulnerability is next to zero.
Secondly, a lot of questions arise when we realize that Gigabytes of data was siphoned off. Security alerting systems of the present day are highly advanced so as to detect any anomalous bandwidth usage and it is surprising to note that the attack was detected after huge chunks of data was transferred. Few questions which come into our minds are;
1: Did the alerting systems issue an alert which was later on dismissed as a false positive?
2: Did the attackers stay well under the radar, which would again raise more questions about the timeline?
3: Did the hackers know about the internal security, so as to remain undetected for such a long period of time which not only allowed them to transfer data but also able to gain foot hold into the internal network?
It comes as a surprise to know that organizations to the likes of JP Morgan Chase, which in all probability has millions of dollars worth of Cyber Security annual budget, getting hit by a breach.
The common notion as theorized by Patricia Wexler, spokesperson of JP Morgan Chase that “Companies of our size unfortunately experience cyber-attacks nearly every day” is quite true, however security is in knowing that even the smallest whimper is to be given appropriate attention. Say for example, we are working in a noisy environment. After a few minutes of staying in that noise, we become immune to that noise. In this scenario the noise is related to the alerts, had the administrators become immune to these daily chitter chatter of alerts from the constant attacks or they were specifically chided by their peers to report only in case of any eventuality as was the case with the boy who cried wolf?
Last, but not the least, a few months back, during December 2013; it was revealed that JP Morgan was hit by a data breach in which they had warned almost half a million pre-paid cash card customers that their personal information may be at risk. Two incidents in a space of six months is huge failure of the security mechanism.
We simply hope that JP Morgan Chase and the investigating agencies reveal to us the exact version of what has happened and how it happened, as this is the only way towards implementing better security practices. Whether they may or may not be followed is a different question altogether.
- Inputs by Mr. Govind Rammurthy, MD & CEO, eScan