Last week, JPMorgan Chase revealed that a previously disclosed data breach affected a total of 76 million households and 7 million small businesses. Here to comment are a number of experts in the information security field. NTT Com Security, STEALTHbits Technologies, Rapid7, and others are represented.
Tod Beardsley, Engineering Manager, Rapid7:
“Unfortunately we may still see piggyback attacks where cybercriminals launch social engineering attacks to cash in on the customer anxiety that follows the news cycle surrounding reports of any big-name breach. The usual advice applies: If you get an e-mail or a call from a JP Morgan rep, feel free to thank them for contacting you and hang up. Customers should always initiate that contact by looking at their credit card statement for the contact number. You simply can’t trust that an incoming call or e-mail is legitimate and not a phishing attempt.”
Carmine Clementelli, Network Security Product Manager, PFU Systems, Fujitsu:
“JP Morgan’s major breach earlier this year was a targeted attack conducted for a long period of time that went undetected. This type of advanced attack is becoming very commonplace. Organizations of all sizes today need to be aware that APT (Advanced Persistent Threat) attacks might be around the corner and therefore need to invest in more robust security.
“JP Morgan apparently discovered the intrusion in mid-August and now believe the breach began as early as June. The intrusion was already on the bank’s servers at that time. How did that happen? More importantly moving forward, why did this happen? US organizations need more robust security and must embrace highly effective defense-in-depth strategies and deploy a multi-point defense. That means combining solutions that can detect attacks not only at the Internet edge but also inside the company’s network and on connected endpoints. And by the way, that includes those tablets and smart phones we all carry to work.
Featured Download: CISO Data Breach Guide
“Last week’s news underscores how important it is to monitor and analyze communication patterns to detect any anomalous behavior (especially communications with C&C Servers), and identify malicious device-to-device communications within the network. The fact is, we know how to do this, we know how to inspect traffic crossing the network for continuous security, without suffering performance penalties.”
Garry Sidaway, Global Director of Security Strategy, NTT Com Security:
“The good news on this story is the fact that the time it took to detect the breach was significantly shorter than average. But it does still indicate the huge challenges every business has against the increasingly complex threat landscape. My concern now is making sure that the lessons are learned and that information security and risk management are embedded into businesses to protect personal data. Also as we have seen through the Global Threat Intelligence report, how busineses manage intrusions is also critical”.
Ben Johnson, Chief Security Researcher, Bit9 + Carbon Black:
“The fact that enormous data breaches that compromise millions of individuals’ credit card and other personal information keep happening is not only astounding. It is absolutely unacceptable. Breaches are inevitable, but compromised data doesn’t have to be. There are next-generation security solutions available today that can lock down data and deliver continuous monitoring to instantly identify any sort of unauthorised activity from even the most determined and clever attackers. This breach highlights the common issue of blind spots on enterprise endpoints right across the organisation. Visibility is critical because you can’t stop advanced threats and targeted attacks if you can’t see what’s happening, and we know that this attack was underway for at least a month before it was discovered. Cyber resiliency is the new trend — making sure that you can take a punch and keep going, or in this case, just because unauthorised access is established to a few systems shouldn’t mean the intruders should be allowed to live in there for months while accessing massive amounts of sensitive information. Sadly, this won’t be the last massive breach. Until more companies harden their systems and strengthen their ability to more quickly detect, respond, and recover from compromises, we will see more of these types of events.”
Barry Scott, CTO, Centrify:
“It’s not always losing a username and password that’s directly the problem, although that is very serious. Loss of data such as names, e-mail addresses, home addresses and phone numbers are all part of the jigsaw that make up a person’s digital presence, an online identity that can form a good basis for further targeted attacks. How many people will be getting phishing phone calls as a result of their phone numbers being lost in this breach, with the caller using other information to try and prove that they are genuine?”
Pierluigi Stella, CTO, Network Box USA:
“Contact information for 76 million families and seven million businesses. Assume that includes people’s names, addresses, phone numbers. Should we assume an allocated 100 bytes each? That makes it 8.3 billion bytes or 66.4 Gigabytes. Hackers don’t use large pipes, though they may be using multiple sources of attack. To transfer that much data takes time – a lot of time.
“We keep talking about security. I cannot begin to imagine how much money Chase spends for cyber security every year. And yet, these hackers were able to transfer away from the bank 8.3 Gigabytes of data, yet no one noticed. It just simply baffles me; I have no other way to express this. Intrusion prevention, monitoring, intrusion detection, SIEMs and log management systems that should reveal anomalies and raise alerts – I know Chase has them all and more. None of these worked? How is that possible?
“We need to start wondering if all that we are doing for security isn’t completely wrong and hackers have found ways to circumvent all our defenses.
“When the Target bust happened in January, I was outraged by the prospect that the company didn’t have enough security and whatever they had was circumvented because of a third-party having too much access. But in the case of Chase, I am confident the bank had plenty of security beforehand. I am also sure they used every trick in the books to stay safe and that they take security very seriously. They are a financial institution, after all, the largest financial institution in the US, and they know they are a target. So, how did this happen?
“It would be really interesting if we could find out for sure what really happened so that we can all learn from this lesson.”
Kyle Kennedy, CTO, STEALTHbits Technologies:
“JP Morgan Chase reporting that 76 million accounts were compromised in a cyber-attack confirms the fact that no matter the industry – retail, restaurants, financial services, healthcare, manufacturing – if you are storing sensitive, high-value data, cybercriminals will attack your organization eventually.
“As a result of all these recent security breaches, millions of consumers have had their credit card details, financial information, and personal information stolen, which is directly fueling a thriving market of its own – commoditized personal identifiable information (C-PII). If cybercriminals understand the value of this C-PII market, when will companies like JP Morgan Chase, Home Depot, Target, Goodwill Industries, etc. collectively acknowledge it, too, and start advocating for cybersecurity reform?
“It appears to me that every electronic security measure can be breached, and it seems that every person’s information will eventually be compromised. This begs the question: Are organizations that store sensitive data looking at the C-PII market and applying the supply and demand principle? What value can there be in yet another black market based on people’s sensitive personal identifiable information emerging when there are only so many consumers?
“Do these organizations think that cyber-criminals will eventually give up and stop trying to acquire our sensitive information if the C-PII market is so watered down due to our information being readily available on the Internet that the value and demand drops – reducing the number of cyber-attacks by cyber-criminals? I certainly hope that isn’t the case.
“However, as a security executive, the best advice I could offer anyone is to actively monitor your statements always and to set up alerts for any charge greater than $0.00 for ALL financial accounts ensuring you see unauthorized activity when it happens. That way, you do not have to wait for a breach to be reported before you can take action.
I am pretty sure news of other breaches are soon to come.”
John Gunn, Vice President Corporate Communications, VASCO Data Security:
“The nature of the attack and what wasn’t taken will provide evidence for the conspiracy theorists who speculate that this was a state-sponsored action by Russia, but the forensic evidence collected so far doesn’t support that. Clearly, it was driven by objectives outside the singular focus on profit that motivates the criminal hacking organizations capable of executing this type of attack.
“Criminal hacking organizations utilize incredibly sophisticated attack methods. Combine that with readily available resources such as Tor, which is a worldwide network of more than 5,000 relays that can be used to conceal a hacker’s true location, and you have absolutely no way to track the origin of the attack. With no criminal trail from stolen funds, identities, or login credentials, this is a mystery that will forever remain unsolved.”