BreachExchange mailing list archives
JPMorgan Hacking Raises Alarm About Banks’ Cyber Defences
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 24 Nov 2014 18:54:52 -0700
http://businessweekme.com/Bloomberg/newsmid/190/newsid/286 Hackers are testing the financial system’s cyber defences, and they can boast of some alarming success. Let’s start with what we know. JPMorgan Chase & Co. says a breach of its computer systems exposed the personal information of 76 million households and 7 million small businesses. The intrusion lasted from June until sometime in August, so hackers had more than a month to nose around. They accessed names, addresses, phone numbers and e-mail addresses, although the bank says there’s no evidence they compromised account information, passwords or Social Security numbers. And keep in mind: JPMorgan is a giant, profitable bank with a reputation as one of the best companies in the world at cybersecurity. Even more worrisome is what investigators don’t know — about the intrusion at JPMorgan, the hackers who did it and the potential vulnerability of the entire financial system. The bank has said little publicly about the breach beyond its description of the customer information that was and was not compromised and an assurance the company is cooperating with government investigations. US intelligence agencies, federal prosecutors and attorneys general from at least two American states have all launched probes. Computer hackers also targeted at least four other banks in a coordinated attack on major financial institutions in August, according to a senior US official who asked not to be identified because the investigation is continuing. In May 2013, a gang of criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe. The scheme started with attacks on two GCC banks — RAK Bank in the UAE and Bank of Muscat in Oman. Threats like these keep banking regulator Benjamin Lawsky, superintendent of the New York Department of Financial Services, awake at night. “I worry that we’re going to have some sort of major cyber event in the financial system that’s going to cause us all to shudder,” he said an interview at the Bloomberg Markets Most Influential Summit on 22 September. One thing we don’t know, according to James Lewis, a senior fellow at the Centre for Strategic and International Studies in Washington, is how well big banks’ cyber defences are working. “Maybe JPMorgan had good defences that separated the high-value data from the low-value data, so the hackers weren’t able to get to the high-value data,” Lewis says. “That would be a success story.” Or maybe it was just chance that the intruders didn’t manage to further exploit their access. “We don’t know if we were good or if we were lucky,” he says. James Angel, a professor at Georgetown University who specialises in financial market structure, points out that banks’ computer networks are “highly connected” to major stock exchanges, to credit card networks and to other clearing institutions such as central banks. That means a breach in one system might allow hackers to dig deeper into networks vital to the financial system. “What other weaknesses in bank cybersecurity are there that might allow other hacks?” Angel asks. “There’s a natural scepticism that this is the entire extent of the damage.” Financial institutions are among the best at handling cybersecurity, says Greg Bell, Americas services leader for information protection and cybersecurity with KPMG, the tax, audit and advisory firm, in part because they’re attacked so often. The stakes are high — a bank’s first duty, after all, is keeping customer money safe. They spend more than most businesses on protecting data and information. JPMorgan, even before the events of this summer, had a cybersecurity budget of about a quarter billion dollars annually — and it now plans to double its spending within five years. JPMorgan Chase spends about $200 million each year to protect itself from cyber attacks, chief executive officer Jamie Dimon wrote in a April 2013 letter to shareholders. “This number will grow dramatically over the next three years,” Dimon said. “More than 600 employees across the firm are dedicated to the task. And this number likely will grow as well.” Still, financial companies are losing ground to the hackers, according to a report by management-consulting firm Deloitte. In 2013, 88 percent of all successful intrusions into the computer systems of financial companies were accomplished in seconds, minutes or hours, not days, Deloitte found, while 79 percent of intrusions were discovered by the targeted firms only after days, weeks or months. As in the JPMorgan episode, the attackers move fast while the defenders are slow. JPMorgan, in the bare description of what happened in its case, said no unusual customer fraud related to the digital breach had been detected. Although that might sound reassuring, it raises the more disturbing question of what the hackers were up to. Was this just another incidence of cyber crime or was it an example of the growing threat of cyber espionage or terrorism? JPMorgan has told consultants who are working with the bank that it saw signs the Russian government may have had a hand in the attack, according to three people familiar with the bank’s investigation. Attacks by groups that have some kind of state support or direction have been on the rise for the past three years, says KPMG’s Bell. Foreign powers may be trying to show they can penetrate computer networks that are key to the financial system and send a message that they could do more, he says. In such cases, the intruders will leave just enough clues for investigators to identify who’s doing it, Bell says. “It’s a threat, posturing,” he says, “that I can get access to your critical infrastructure.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- JPMorgan Hacking Raises Alarm About Banks’ Cyber Defences Audrey McNeil (Dec 02)