December 24, 2015 by Sharon Weshler (c) Linkedin

On November 2015, five people were indicted by a New York US Court in the event that was called “The largest theft of customer data from a US financial institution in history”. The case in question is the theft of 83 million private records of JPMorgan clients.

Even though we reside in the 21st century for more than a decade, this is one of the first cases, in which a thorough investigation can be performed and derive future recommendations for incident response methodologies. In the past we had similar cases, for example, the breaches of RSA South Korean banks of 2013 and the infamous Sony leak of 2014, but these incidents were internally dealt and some of them kept quiet from the public, so some information was tampered before it was released to the public.

Due to strict legislature, especially the SOX act of 2002, which enforces every company and organization that is traded in the American Stock Exchange, to take precautions against cyber attacks, and in the event that they occur, they must notify the public. This standardization forced JPMorgan to announce on October 2014 that more than 70 million households and seven million small businesses had their private data compromised. Since all the information was released to the public, we can now surmise how the attack occurred, and the most infuriating fact is that the attack could have been easily prevented, even though JPMorgan invested over 250 million dollars in security applications and components.

The attack started in a simple phishing attack. In this kind of attack, the attackers sent e-mails to their target, in this case, JPMorgan employees, pretending to be JPMorgan IT department and asked them to provide their credentials in a bogus site. The result of this attack was the working credentials of an employee.

One of the security features that JPMorgan employs is a two-factor authentication, which means that even if you have the employee’s credentials, you need an additional authentication method, such as a one-time password for each login. All JPMorgan servers were updated with this feature, except one. The attackers used the employee credentials and gained access to the JPMorgan system. From this point to data leakage was very short.

At first, the law enforcement thought that the attackers were based on Russia and that the attack was so complex that it could not be traced. But after analyzing each and every server, the breach was found and fixed.

This attack allows us to draw several conclusions and recommendation for future events:

  • Employee awareness: Most of the attacks succeed since the employees are not aware of the consequences of their actions. Cyber Security Awareness seminars and lectures should be provided to all employees, especially for suspicious e-mails and requests.
  • Constant scans: All servers and workstations should be constantly scanned and verify that all security updates are installed on them. It does not matter if the organization has only one server or several thousands, it should be constantly monitored and regularly updated.
  • Perform Regular Penetration Testing: Penetration testing is currently the most effective method of discovering vulnerabilities in networks and systems. Even if penetration testing is not a mandatory action item, consider performing it once a year and after a major change in the application or the network.
  • Logging and Documenting: If a breach occurred, despite all efforts, it is imperative that the organization have a logging and documenting mechanism, such as Security Information and Event Management (SIEM), which gives information in real-time to attempted breaches and provides evidence for law enforcement entities.
  • Effective Security BI: Even though you can invest several thousands of dollars in your organization’s defense, it may not always be the correct ones. An effective BI should be performed on any organization and analyze which products and needed, thus, managing the budget in a more effective way.

You can read the rest of the article at the above URL.

InCyber Comments

This article highlights the need for a Pro-Active System PAS to prevent Insider Threats. The InCyber PAS system was designed to eliminate this problem. Obviously the J P Morgan was an Insider Job. The InCyber PAS (Pro-Active System) could have prevented this breach. For additional details on the InCyber PAS Test Drive using your own data write .