The received wisdom in cybersecurity is to focus resources on protecting the most critical and mission essential systems. However, failure to protect low-sensitivity systems can have dire consequences as the financial giant, JP Morgan-Chase discovered in 2014. With a $250 million cybersecurity program, JP Morgan Chase offers online banking services employing modern cybersecurity best practices. With all those resources, why has this major financial institution become a leading cyber victim?
JPMorgan Chase learned that an organization is only as strong as its weakest link. The firm contracted an outside vendor to develop and deploy a website for the bank’s annual charity race. The race was open not only to bank employees but also to employees of other corporations. “Hackers found a vulnerability in the website and exploited it to enter critical Chase systems, affecting over 76 million households and 7 million businesses.”[1] From this foothold behind JP Morgan’s exterior defenses, the attackers monitored the JP Morgan network for additional weaknesses such as user credentials and certificates to exploit more lucrative targets. Despite strong boundary protection, look for adversaries lurking on the inside of your network.
The attacker’s reconnaissance revealed that access to one server had not yet been upgraded to two-factor authentication, a login safeguard similar to what the AO is implementing.[2] Unfortunately, “JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme… That left the bank vulnerable to intrusion.” [3] The lesson here is that all the organization’s computers must be inventoried, patched, and protected promptly and uniformly.
Like the OPM breach[4], JP Morgan learned about this intrusion from a third party named Hold Security, who found evidence on a cybercriminal website. “The data … contained some of the combinations of passwords and email addresses used by race participants who had registered on the charity race website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor” [5] Luckily JP Morgan paid attention to this information. In the future, perhaps they (or a security research firm under contract) will search the dark web for indicators of stolen data. They will improve how they protect sensitive data and credentials at rest and in transit.
“The criminal database also included the certificate for the website of the [charity race] site’s vendor …, indicating a serious breach that allowed hackers to pose as the race website operator and intercept traffic, such as race participants’ login credentials…”[6] The lesson here is that third party software needs to adhere to the same protections required of homegrown applications.
Many of these compromised credentials could be used to infiltrate other applications and servers on the JP Morgan network, as well as on the internet at large. Because people often reuse user names and passwords, their personal and financial data is at risk for websites outside JP Morgan. Maintaining unique passwords can be made easier with password vaults. ITSO has published information to assist with selecting and using a password vault.[7]
The JP Morgan-Chase breach is one of a handful significant data compromises. “The massive security breach compromised 76 million households and seven million small business accounts. As a result, the bank will no doubt spend millions of dollars over the next few months repairing the extensive damage and working to restore its reputation.” [8]
Does JP Morgan need to do more? Their answer is yes. “The bank spends $250 million annually in security defense. But after the attack, Jamie Dimon, JPMorgan’s chief executive, said he was considering doubling that amount — an indication of the increasing threat from the attacks.” [9] This will include assessing this experience and what they need to learn from it. For example:
· an organization is only as strong as its weakest link
· look for adversaries lurking on the inside of your network
· protect sensitive data and credentials at rest and in transit
· all the organization’s computers must be inventoried, patched, and protected promptly and uniformly
· pay attention to indicators and warnings from outside the organization
· third party software needs to adhere to the same protections required of homegrown applications
· use password vaults to prevent password duplication
More information about application security and building secure software best practices, training and more resources are available at the ITSO Security Engineering hosted Secure Software Connections Community.
[1] http://www.veracode.com/blog/2015/07/understand-how-secure-application-layer-can-prevent-disaster-look-no-further-2014s-high-sw
[2] Remote Access Authentication Upgrade at http://jnet.ao.dcn/information-technology/networks/raau
[3] http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/
[4] https://www.opm.gov/cybersecurity/cybersecurity-incidents/
[5] http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company-that-runs-race-website-for-bank/?_r=0
[6] http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company-that-runs-race-website-for-bank/?_r=0
[7] Password Vaults–Taking the Guesswork out of Passwords!
[8] http://www.wired.com/insights/2014/10/a-silver-lining-in-the-jp-morgan-breach-3/
[9] http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company-that-runs-race-website-for-bank/?_r=0
Walt Houser 