JPMORGAN ATTACK: Developer’s password gave alleged Russian hackers broad access to data

Why do major US corporations continue to put faith in technology when management is often the problem?

The intrusion — which began in June — not discovered until July

Okay, so we all make mistakes. But the personal details of 76 million well-heeled Americans leaking out of one of the world’s most trusted banking institutions does not inspire much confidence in the management process.

There was a time when US citizens could trust their business institutions with their secrets, but recent news casts significant doubt on governance.

We all know that cyber criminals are smart, but why did it take a wealthy banking giant, JPMorgan, a month to notice the sheer scale of this breach?

Unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data. [Source: JPMorgan Chase Hacking Affects 76 Million Households].

As the New York Times reported, “Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.” The problem then seemed to be relatively contained — if you regard one million records compromised as manageable in terms of a data breach in the modern age.76 million, of course, is one quarter of the population of the United States.

“Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan [Chase] account holders”. [ibid.]

Banks the size of JPMorgan do have strict rules about including account numbers and passwords in emails, but you can still learn a lot about their customers from what they write to their bank managers and vice versa.

Hackers don’t siphon off mega volumes of data using large pipes, though they may – and often do – use multiple sources of attack to achieve results. To transfer the amount of data involved here would take a great deal of time, relatively speaking. This incident did not happen like in the movies. The attackers were most likely working away without being detected, patiently gathering the information over a period of weeks, possibly months. I recently conducted an exclusive interview about the Operation Harkonnen hack in Germany, which allegedly lasted for over 12 years and targeted 300 institutions including banks – although disclosure rules are somewhat different in EU countries and so far no victims have been named.

American officials have told The New York Times that they have been working with JPMorgan since the intrusion was detected, chiefly through the Treasury, the Secret Service, and intelligence agencies, to find the source of the attacks. The hackers are thought to be operating from Russia. There is speculation that the sustained attack was “intended to send a message to Wall Street and the United States about the vulnerability of the digital network of one of the world’s most important banking institutions.”

In other words, this attack is symbolic. Not a large-scale fraud perpetrated by the criminal gangs behind the dumps shops that sell stolen card details – see my blog article: Home Depot: Has ‘carder culture’ beaten US Law?

This theory is supported by evidence emerging about the methods used in the attack. The JPMorgan hackers gained access to information about the names, addresses, phone numbers, and email addresses of account holders. They did not dig deep enough to get to the critical financial information and personal information on the bank’s systems. Given the organised nature of the hack, the sheer scale (76 million customer records), and breadth of the information that was retrieved, and the believed country of origin of the hackers, the intended purpose in this instance would appear to be political: a warning to the Administration and Wall Street that America is vulnerable.

But what could JPMorgan have done better to protect its systems?

Bloomberg, which first broke the news of the cyber attack on JPMorgan Chase in August, said on Friday October 3 that hackers “exploited an employee’s access to a development server as part of the attack on a JPMorgan Chase & Co. server that led the theft of data on 76 million households and 7 million small businesses”. [Source: JPMorgan Password Leads Hackers to 76 Million Households.] The 76 million households affected compare with the US total of about 115 million as of 2012, meaning that the data theft extends to two thirds of all American homes.

JPMorgan Chief Operating Officer Matt Zames has urged employees to be vigilant. “Make sure you have fortified your own defenses,” he told them on 2 October  in a memo obtained by Bloomberg News. “Log off your workstation when you leave your desk. Change your passwords often, choose passwords that are very hard for others to guess, and never, ever share passwords.”

Passwords and the management of passwords would appear to be at the heart of the security problem that has affected JPMorgan and its customers.

In ISO27001:2013, the control referenced in Annex A.9.4.3: Password management system states that “Password systems shall be interactive and shall ensure quality passwords” – was this the case at JPMorgan Chase?

Requirement 8 of the PCI DSS version 3 sets out the Payment Card Industry Data Security Standard’s requirements for assigning a unique ID to each person with computer access. The testing procedures include:

• 8.5.9 Change user passwords at least every 90 days.
• 8.5.9.a For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days.
• 8.5.9.b For service providers only, review internal processes and customer/user documentation to verify that non-consumer user passwords are required to change periodically and that non-consumer users are given guidance as to when, and under what circumstances, passwords must change

Were passwords at JPMorgan changed every 90 days, and was this policy enforced in line with Requirement 8 by management at all levels and grades?

Could a precaution as simple as the developer in question changing their access password within a 90-day period as required by the PCI DSS have prevented the hackers from accessing at least a proportion of the 76 million records that were stolen – assuming that the attack continued for months?

And why was so much data accessible using just one employee access right – if the alleged Russian hackers were able to login using just one identity?

As reported in SC Magazine on October 1, a study by Los Angeles-based Lieberman Software found that only 53 percent of organizations update their account service and process account passwords on a quarterly basis.

This would most likely not have saved JPMorgan from the embarrassment of a very serious breach if the hackers had up to three months of unlimited access into the organization’s critical systems, but it might have helped to limit the damage inflicted by reportedly just one compromised password!

I predict that, in the weeks to come, password management will feature highly in the debriefing and in industry comment about the JPMorgan breach. Likewise, expect to see commentators delving into the subject of network segmentation. For example, what services were allowed between different network zones, zone sensitivity, etc. Was the vast mass of data stolen despite efforts to manage and control changes across the JPMorgan network while keeping their segmentation intact? Hosts and subnets should be segmented into security zones. Were they? There should be traffic-flow restrictions between zones. Who monitored this? The level of sensitivity within each zone needed to be established and monitored, along with effective zone-to-zone policies. Who decided what the developer could access? In the case of JPMorgan, who had management control over these processes and how was a single developer’s login able to access so much?

Could a management system approach to information security have helped to prevent this titanic breach, or at least improved the time to detection?

The ISO27001 information security standard is the most widely adopted in the world because it breaks down silos that are a barrier to security and quality. ISO27001 has a way of satisfying compliance requirements on all the various statutes and regulations that organisations in the U.S. need to comply with – e.g. Safe Harbor, PCI DSS, SOX, and GLBA. You build it once and comply many times, saving millions of dollars at the same time that you improve the security and control environment around your business. To do business fast you need security controls that let you know you are doing it safely and managing risk for the enterprise. The controls outlined in ISO27001 allow you to manage in a way that is streamlined and, yes, effective!

A final thought:

 Have European Banks been attacked by state-sponsored hackers?

The attack on JPMorgan’s data assets is part of a larger criminal conspiracy to attack the FI sector: See Hackers’ Attack Cracked 10 Financial Firms in Major Assault [Source: The New York Times, October 3, 2014 9:39 pm].

On August 27, Bloomberg reported that “Authorities are investigating whether recent infiltrations of major European banks using a similar vulnerability are also linked to the attack.” At that point, investigators were considering the possibility that cyber criminals from Russia or Eastern Europe were responsible. As I reported in my blog (25 September 2014), the Operation Harkonnen gang, thought to be German, is believed to have accessed sensitive data from 300 European organisations, including banks in Germany, Austria, and Switzerland, over a 12 year period: Exclusive Interview : Operation Harkonnen Malware disguised as ‘harmless Adware’.

It may be a coincidence in relation to this story, but Baron Harkonnen, a fictional character and antagonist from the Dune universe created by Frank Herbert, has the first name of ‘Vladimir’. According to the sci-fi enthusiasts, his family name originated in, some say, Finland, others …western Russia.

#   #   #

Could an ISO27001-compliant ISMS have saved US banking pride?

An ISO27001-compliant information security management system (ISMS) will confirm to both management and clients that your organization is proactively managing its security responsibilities. 22,293 certificates have already been awarded globally to an exclusive group of growing companies and early adopters, including leading US corporations and high-growth smaller enterprises in a variety of sectors. In fact, the number of ISO27001 certificates issued in the US jumped by 36% in 2013 compared to 2012.

They are able to leverage their ISO27001 certification internationally as a market differentiator, satisfying the information security requirements of corporations and government, as well as providing assurance to the public. An ISO27001 certification is widely accepted globally as proof of a reliable, defensible, standards-based information security management posture.

ISO27001 certification is a dynamic process, requiring at least annual audits and periodic renewal of the certificate. To your clients and prospects, ISO27001 certification is independent proof of ISMS adequacy and the ongoing benefit of continuous process improvement. Your ISMS enables you to clearly see which security processes are working and which need improvement. You are in no doubt about where to invest time and money.

The risk-based decision-making inherent in an ISO27001 ISMS means the system shares a common basis with many of the new legal requirements in the US and around the globe. Changes to the ISMS can be made in an orderly, incremental fashion, resulting in substantial time and cost savings.

With ISO27001, the information security function becomes more integrated with the organization as a whole, so there is less chance of ignoring cybersecurity risks that could cost your enterprise its reputation for excellence.

We can help you to implement effective cybersecurity procedures and controls using ISO27001. Spend a minute on our ISO27001 solutions page: www.itgovernanceusa.com/iso27001-solutions.aspx

 Put your detailed questions to our consultants and learn from the experts:

 1-877-317-3454

*  *  *  *

Did you enjoy reading this article? Why not share it with your colleagues?

Remember: at the end of December 2013, at least 22,293 ISO/IEC 27001 certificates, a growth of 14 % (+2,673), had been issued in 105 countries.