In July JPMorgan Chase discovered that 90 or so of its servers were breached by external hackers. As The New York Times reported[1], “By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers.” According to the article, it is still unclear how hackers managed to gain such deep access.
Every organization in the world with significant financial assets is under constant Web-based attack from bad guys. Over the past two years, there’s been an impressive (or terrifying, depending on your point of view) increase in both the success of these attacks and the size and scope of the organizations affected.
Virtually all of these hacks have one thing in common, however. They attack identity; specifically, they leverage vulnerabilities in software or business processes to subsequently elevate privilege until they reach the Holy Grail of identity on a critical server.
Featured Download: CISO Data Breach Guide
USA Today quoted an industry expert who interpreted this breach by saying that the hackers “had root” on the servers and they “could transfer funds, disclose information, close accounts, and basically do whatever they want to the data.” [2]
There are still far too many organizations using root accounts to manage their servers. It’s just asking for trouble. If root accounts are available to your employees for anything besides “break glass” in single-user, off-network recovery situations, then there’s a chance the bad guys will also find a way to use those accounts. Corporate boards need to get off the dime and fund their IT security departments with the tools to stop these attacks, including least-privilege identity solutions that eliminate the use of root accounts.
What else is interesting about this hack? The bad guys didn’t wire funds to numbered accounts in tropical locations. Apparently, they left all the money behind, taking no Social Security numbers and no passwords with them. But is that the end of the story?
Probably not. “Persistence like that, with no stolen money, is due to a future planned operation,” J.J. Thompson of Rook Security of Indianapolis told USA Today in the same article. “This could be to track down a person of interest by observing financial transaction locations, to plan future large scale disruption when they know their competitor plans to wire funds to close a deal, or any other odd scenario you could see on (the TV show) ‘Blacklist.’”
Who knows what the end result of this hack will be, but hopefully it further raises awareness of the problem of sharing the root account. Setting policies for IT to use personal named accounts and always log in using their own identity will help avoid these issues, and will lead to better accountability and traceability of actions. The more an IT organization can consolidate identities into an authoritative identity store, the better. Using a privileged identity management solution, IT can limit the number of users who have privileged access and will make it less likely that the attacker will discover a user with privileged access.
[1] New York Times, JPMorgan Chase Hacking Affects 76 Million Households, 10/2/2014
[2] USA Today, JPMorgan Reveals Data Breach Affected 76 Million Households, 10/3/2014
By Brad Zehring, Senior Product Manager, Centrify
About Centrify
Centrify provides unified identity management across data center, cloud and mobile environments that deliver a single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify’s unified identity management software and cloud-based Identity-as-a-Service (IDaaS) solutions leverage an organization’s existing identity infrastructure to enable single sign-on, multi-factor authentication, privileged identity management, auditing for compliance and mobile device management. Centrify customers can typically reduce their total cost of identity management and compliance by more than 50 percent, while improving business agility and overall security. Centrify is used by more than 5,000 customers worldwide, including nearly half of the Fortune 50 and more than 60 Federal agencies.
For more information, please visit http://www.centrify.com/.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.