Chase Breach: Lessons for BanksEarlier Detection Might Have Prevented Compromise
If JPMorgan Chase, the nation's largest bank that was considered to be among the most secure organizations in the world, can be breached, then virtually all other banks are at risk. In fact, the The New York Times, quoting unnamed U.S. officials, says cyber-attacks were launched against 10 U.S. financial services firms, including Chase, by a Russian-based group that is believed to have ties to the Russan government (see Beyond Chase: 9 More Banks Breached?)
Now, in the wake of these breaches, and Chase's revelation that personally identifiable customer data was compromised as part of a highly sophisticated attack waged against it in June, experts say banking institutions must take immediate steps to ensure they are prepared for inevitable attacks.
"It does indeed get attention when one of the largest banks in the world is breached," says Shirley Inscoe, an analyst at Aite Group. "This does start to raise the question of whether any company is truly secure in our country, and whether they can preclude hacking attacks by sources that may be sponsored and/or funded by other groups or governments."
The onus is on banks and credit unions to detect breaches sooner, through systems monitoring and penetration testing, as well as enhance their efforts to deploy stronger authentication and education about social engineering schemes aimed at compromising accounts.
Banks also need to step up their information sharing efforts to help the industry defend against these emerging advanced persistent threats, just as they did during the days of the distributed-denial-of-service attacks that targeted leading U.S. banks from late 2012 through 2013.
The bad guys are always busy finding new ways to attack and penetrate networks, which means banks have to stay vigilant, says Bill Isaac, former chairman of the Federal Deposit Insurance Corp., one of the agencies that makes up the Federal Financial Institutions Examination Council.
"I am not aware of any computer system anywhere - including in highly secret government agencies - that is totally secure and cannot be attacked," Isaac says. "Companies are spending enormous sums each year to raise their level of security. But the bad guys are relentless and will keep refining their methods for penetrating those systems."
That's why more investments in systems that monitor and spot anomalous activities as early as possible are needed, he adds.
"This allows the company to sound the alarms and shut down the activity very quickly, before it results in serious problems," Isaac says.
Early Detection Critical
Peter Gordon, a senior vice president at core banking services provider FIS, says Chase should have detected its June breach, which reportedly went undetected until late July, much sooner.
FIS' Peter Gordon on why JPMorgan Chase should have detected its breach sooner.
The attack on Chase illustrates a critical and systemic problem that plagues banks across the board, says Carl Herberger, vice president of security solutions at online security firm Radware.
"The lag time in discovering your network was breached as well as the depth of impact of an attack is a problem," he says. "More education is needed by way of a post-mortem analysis, and not just of breaches in the banking sector. ... The banking industry can strengthen as a whole by working with peers and dissecting how breaches occurred. It's time to shore up our defenses in this fight."
Not an Isolated Attack
Strikes against the financial services sector will keep coming, and will continue to go deeper and deeper into banks' networks and systems, says Avivah Litan, an analyst at the consultancy Gartner.
"They're not going to go after one bank," she says of cyber-attackers - a point also supported by the claims of other attacks reported by The New York Times. "This all has very grave economic consequences," especially if these attacks being waged against the U.S. by a nation-state.
The Times report says U.S officials suspect the attacks against Chase and firms were launched by a Russian-based group that is believed to have ties to the Russan government.
"Personally, I think it's a nation-state trying to intimidate the United States, and in this case, it looks like there is a political motive," Litan says.
Julie Conroy, an analyst at the consultancy Aite Group, says Chase's breach is a watershed moment.
"It's safe to say that this attack has organized crime, and possibly nation-state, involvement," Conroy says. "It highlights the increasing sophistication of attacks, and the fact that no bank can ever consider itself to be truly impervious to attack."
And Al Pascual, director of fraud and security at Javelin Strategy and Research, says the theft of only PII, rather than account details used to forge future fraud, could be a red herring meant to cover up something far more serious.
"It reeks of a nation-state attack," he says. "You don't expend considerable resources to probe deeply into one of the most powerful and influential companies in the world just to steal some e-mail addresses."
Spear Phishing Concerns?
But Doug Johnson, senior vice president of risk management policy for the American Bankers Association, says banks shouldn't be too focused on who waged the attack against Chase.
Instead, they should be more concerned about the theft of personal information that could be used to perpetrate fraud through socially engineered schemes like phishing.
"It was marketing information that could be used for account takeover," he says. "This incident should be used by banking institutions as a way to refresh their customer education efforts and make customers aware of how this data could be used in the future."
Doug Johnson of the ABA on information sharing and incident response.
But John Pescatore, director of research for the SANS Institute, says that until banks come up with better ways to authenticate users and employees, hackers' social engineering tactics will continue to be successful at breaching accounts and systems.
He notes that "the ability to make phishing e-mails targeted - and really hard for the normal user to tell from a legitimate e-mail" increases the threat. "Part of the reason it's so impossible to prevent these attacks from fooling people is this trend of everyone telling everyone about themselves on social networks and job sites," he adds.
If the industry and government would focus more attention on better ways to authenticate personal identities, a majority of account and network compromises could be eliminated, Pescatore says.
Banking regulators have been pushing for stronger authentication for years, but most banks and credit unions continue to authenticate users with usernames and relatively weak passwords - a practice security experts say must change.
In the meantime, information sharing is proving fruitful in helping institutions deflect emerging attacks.
"At this point, it seems financial institutions would be wise to begin - if they have not already - sharing information on security best practices and other issues related to security, similarly to how they collaborate against the 'bad guys' for fraud prevention," Inscoe says.
Associate Editor Jeffrey Roman and Managing Editor Mat Schwartz contributed to this story.