Case Summary
Minimizing Damage from J.P. Morgan ' Data Breach
For a bank like JP Morgan which spends $250 million on its security annually, the excuses for being vulnerable to data breaches are not acceptable. The computer of one of the employees was infected with malware resulting in information and credential being stolen from it.
The threats involved in this case are of several levels. The hacker was not only able to break through several levels of security with the use of malicious programs, but they also obtained the administrative privileges of the highest level controlling 90 servers by using multiple zero-day vulnerabilities. Furthermore, the data was stolen during an extended period of several months. Moreover, the overlooked server also failed in receiving the two-factor authentication update which had made the login credentials stolen useless. Above all, the greatest threat has been the fact that the breach was not even discovered by JP Morgan itself. Because of the stolen data, JP Morgan faces the threat of future hacking from the stolen programs and applications lists. Furthermore, many of the staff of the security department of JP Morgan are also leaving to other banks which makes it further vulnerable.
The entry point of the malware for JP Morgan was an infected employee computer. The computer credentials must have been compromised, which could have been through clicking on a phishing mail or visiting a site with malware. The malware could have been stopped if HIPS had been deployed in the computer of the employee. The human factor is the weakest part of any security system as not all humans are security conscious. The lack of training of the employee of JP Morgan, who assumedly got trapped in the social engineering tricking technique of hacking, is one of the much vulnerabilities. Furthermore, JP Morgan could have stopped the system of the employee to get infected with the use of whitelisting. The employee was also granted more access than was needed for his or her job. The hacker got into JP Morgan through VPN which was vulnerable for setting up of a command-and-control outbound channel that would have then bypassed all defenses. The system of JP Morgan also failed to identify the server, which failed to receive the two-factor authentication, which could have been identified through the regular vulnerability scans. Moreover, even with the mandatory NIDS deployment, the breach went unnoticed. The hackers were also successful in deleting their log files; if JP Morgan had consolidated logs in a secure location, hackers would not have been able to cover their tracks. As there was no minimum baseline bogging decided for the Windows servers, JP Morgan would have detected the breach earlier. It was also important for JP Morgan to get rid of all its guests and anonymous account access blocking simple loopholes.
The case shows effectively how JP Morgan shows simple vulnerabilities were ignored that caused such a huge loss. The case also showed in detail how JP Morgan could have stopped this breach at various stages. The case shows how effective vulnerability and pen testing of the system could have covered the security loopholes. Several factors which contributed to such a long unnoticed breach of the JP Morgan system were explained in detail along with its possible countermeasures.
The breach was not discovered in months and not by JP Morgan itself. The hackers breached one of the charity websites of Hold Security Inc which discovered a billion stolen usernames and passwords including some of JP Morgan as well. It led JP Morgan security to question its system and led them to discover the breach of their system. The bank already spends $250 million on its security while 1000 of its employees are dedicated to this department. The organization was not only shocked but also was concerned over the simplicity of the failure of its security.
Like any other organization, JP Morgan needs to identify its critical assets and protect it heavily with VLANs and NIDS. Perimeter defense should be assured by installing firewalls. Basic protection, employee training, HIPS, and whitelisting applications would ensure stopping malware entrance in the network or its timely discovery. Using Pre connection VLEN and NAC for the infected system, and NIDS anomaly along with honey pots can help it reduce access to control servers and alerting staff. Furthermore, implanting SELinux, RBAC, APPArmor and using of the less privileged access system can also help JP Morgan against the hackers. Proper logging along with active monitoring, using crypto free zones, and NIDS would have aided in strengthening the security. Pen testing and scans for vulnerability would have helped in the early discovery of hackers.
No entity is fully safe at all times; however, with these recommended solutions, JP Morgan can strengthen the security of its system. With effective security staff and well aware employees with proper security education, such simple loopholes can be covered.
Reference
Jeng, A. (2015). Minimizing Damage from J.P. Morgan ' Data Breach. SANS Institue.