JPMorgan Hacking Raises Alarm About Banks’ Cyber Defences

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://businessweekme.com/Bloomberg/newsmid/190/newsid/286

Hackers are testing the financial system’s cyber defences, and they can
boast of some alarming success. Let’s start with what we know. JPMorgan
Chase & Co. says a breach of its computer systems exposed the personal
information of 76 million households and 7 million small businesses. The
intrusion lasted from June until sometime in August, so hackers had more
than a month to nose around.

They accessed names, addresses, phone numbers and e-mail addresses,
although the bank says there’s no evidence they compromised account
information, passwords or Social Security numbers.

And keep in mind: JPMorgan is a giant, profitable bank with a reputation as
one of the best companies in the world at cybersecurity.

Even more worrisome is what investigators don’t know — about the intrusion
at JPMorgan, the hackers who did it and the potential vulnerability of the
entire financial system. The bank has said little publicly about the breach
beyond its description of the customer information that was and was not
compromised and an assurance the company is cooperating with government
investigations.

US intelligence agencies, federal prosecutors and attorneys general from at
least two American states have all launched probes.

Computer hackers also targeted at least four other banks in a coordinated
attack on major financial institutions in August, according to a senior US
official who asked not to be identified because the investigation is
continuing. In May 2013, a gang of criminals stole $45 million in a matter
of hours by hacking their way into a database of prepaid debit cards and
then draining cash machines around the globe. The scheme started with
attacks on two GCC banks — RAK Bank in the UAE and Bank of Muscat in Oman.

Threats like these keep banking regulator Benjamin Lawsky, superintendent
of the New York Department of Financial Services, awake at night. “I worry
that we’re going to have some sort of major cyber event in the financial
system that’s going to cause us all to shudder,” he said an interview at
the Bloomberg Markets Most Influential Summit on 22 September.

One thing we don’t know, according to James Lewis, a senior fellow at the
Centre for Strategic and International Studies in Washington, is how well
big banks’ cyber defences are working.

“Maybe JPMorgan had good defences that separated the high-value data from
the low-value data, so the hackers weren’t able to get to the high-value
data,” Lewis says. “That would be a success story.” Or maybe it was just
chance that the intruders didn’t manage to further exploit their access.
“We don’t know if we were good or if we were lucky,” he says.

James Angel, a professor at Georgetown University who specialises in
financial market structure, points out that banks’ computer networks are
“highly connected” to major stock exchanges, to credit card networks and to
other clearing institutions such as central banks. That means a breach in
one system might allow hackers to dig deeper into networks vital to the
financial system.

“What other weaknesses in bank cybersecurity are there that might allow
other hacks?” Angel asks. “There’s a natural scepticism that this is the
entire extent of the damage.”

Financial institutions are among the best at handling cybersecurity, says
Greg Bell, Americas services leader for information protection and
cybersecurity with KPMG, the tax, audit and advisory firm, in part because
they’re attacked so often. The stakes are high — a bank’s first duty, after
all, is keeping customer money safe. They spend more than most businesses
on protecting data and information. JPMorgan, even before the events of
this summer, had a cybersecurity budget of about a quarter billion dollars
annually — and it now plans to double its spending within five years.
JPMorgan Chase spends about $200 million each year to protect itself from
cyber attacks, chief executive officer Jamie Dimon wrote in a April 2013
letter to shareholders. “This number will grow dramatically over the next
three years,” Dimon said. “More than 600 employees across the firm are
dedicated to the task. And this number likely will grow as well.”

Still, financial companies are losing ground to the hackers, according to a
report by management-consulting firm Deloitte. In 2013, 88 percent of all
successful intrusions into the computer systems of financial companies were
accomplished in seconds, minutes or hours, not days, Deloitte found, while
79 percent of intrusions were discovered by the targeted firms only after
days, weeks or months. As in the JPMorgan episode, the attackers move fast
while the defenders are slow.

JPMorgan, in the bare description of what happened in its case, said no
unusual customer fraud related to the digital breach had been detected.
Although that might sound reassuring, it raises the more disturbing
question of what the hackers were up to. Was this just another incidence of
cyber crime or was it an example of the growing threat of cyber espionage
or terrorism?

JPMorgan has told consultants who are working with the bank that it saw
signs the Russian government may have had a hand in the attack, according
to three people familiar with the bank’s investigation.

Attacks by groups that have some kind of state support or direction have
been on the rise for the past three years, says KPMG’s Bell. Foreign powers
may be trying to show they can penetrate computer networks that are key to
the financial system and send a message that they could do more, he says.
In such cases, the intruders will leave just enough clues for investigators
to identify who’s doing it, Bell says. “It’s a threat, posturing,” he says,
“that I can get access to your critical infrastructure.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!