As JPMorgan Chase issued an apology to customers and acknowledges that the data breach discovered this summer lasted much longer and affected more customers than previously believed, serious questions—that industry insiders say require immediate answers—are being posed about how the breach could have gone undetected for so long.
While the financial institution assured customers “there is no evidence” that account numbers, passwords, Social Security numbers, user IDs and other sensitive information was compromised, having 76 million household and seven million small business accounts affected, as the bank's filing with the SEC indicated, lands Chase among the unenviable ranks of companies that have hosted the largest breaches to date. Most troubling, though, is that at a vigilant firm could suffer a sustained event with such sweeping and broad implications.
“I am sure [Chase has] plenty of security; I am sure they used every trick in the books to stay safe; I am sure they take security very seriously because they are a financial institution, the largest financial institution in the US, and they know they are a target,” Pierluigi Stella, CTO, Network Box USA, said in an email statement sent to SCMagazine.com Friday. “So, how did this happen?”
After all, as Stella pointed out, slipping past security at a company like Chase takes some effort…and resources.
“Contact information for 76 million families and seven million businesses. Assume that is name, address, phone number; should we assume an allocated 100 bytes each? That makes it 8.3 billion bytes or 66.4 Giga Bytes,” he said. “Hackers don't use large pipes, though they may be using multiple sources of attack. To transfer that much data takes time – a lot of time.”
More troubling, the Chase breach reflects an ongoing issue in the way organizations typically detect, resolve and mitigate breaches, industry experts said.
Since “user identity [was] the main vehicle of attack” a la Target and Home Depot, Idan Tendler, CEO at Fortscale, told SCMagazine.com in Friday email correspondence that “once an attack bypasses the perimeter security, traditional or advanced, the hacker will make significant efforts to hijack legitimate, low level, user credentials.” From there, “it will be very difficult to identify this malicious yet stealthy behavior,” he said.
In an email correspondence with SCMagazine.com, Rajesh Goel, CTO at Brainlink International, Inc., laid partial blame on software and security vendors that he called “a HINDERANCE to security, not an asset.” Each vendor, he explained, “has their own quirks, their own log formats, their own training, and the defenders are drowning in point solutions.”
Goel also took the software industry to task for selling software with bugs. “The software industry does NOT have to comply with the same consumer protection laws as everyone else,” he said. “Software vendors however, keep shipping insecure, buggy hardware and software, with no real thought to security. Software should be held to the same standards as airplanes, cars, food and water. It IS that important to our well being and society.”
Security pros expect the breaches to keep coming until enterprises change the way they approach security.
“Talented adversaries are going to check their malware against anti-virus and other security products to make sure they are not going to trip alarms,” Jim Penrose, executive vice president for Cyber Intelligence with Darktrace, told SCMagazine.com in an email correspondence. “If you depend on a threat intelligence feed for the lead info to detect the malware, you are out of luck, because somebody else has to have found it to show up in that feed.”
If the malware is not discovered, the breach could lay undetected for months or years, Penrose explained. “If you are the company that sees it first, that's unfortunate for you, and that's how the ‘threat intelligence' makes it to the rest of the community,” he said.
And Carmine Clementelli, Network Security Product Manager, PFU Systems, Fujitsu, told SCMagazine.com in an email correspondence, that common security measures fall short because they “are more focused in detecting anomalous communications from the outside the network at the network perimeter” rather than also focusing on “communications patterns of latent malware active within a company's network.”
Penrose suggested that the industry must rethink its approach to cyber intelligence since best practices clearly aren't resulting in “indications and warnings of compromise before crisis occurs.” Instead, security pros must “put new technology into the security stack to detect threats earlier, and that technology has to be different, not dependent on historic information about prior malicious behavior.”
As long as banks and other enterprises use "'trusted endpoint' security models for laptops and mobile devices,” they will remain vulnerable to "malware Mondays," Nat Kausik, CEO, Bitglass, told SCMagazine.com in a Friday email correspondence. “Employees take home laptops and mobile devices for use on their home networks which are not well protected. Upon returning to the office, the malware scans, spreads and exfiltrates sensitive data,” he said. “Enterprises with sensitive data must migrate to a network architecture that treats all user devices as hostile.”
And to mitigate the damage down to their reputations, companies like Chase must take clear steps to restore consumer confidence. “In part, it's a policy issue that starts right at the top with C level executives, who report to shareholders,” said Clementelli.
Stronger legislation may also push corporations to modernize and strengthen security. “Some in the industry are saying that there's also not enough teeth in current cybersecurity legislation and organizational requirements – the fines aren't big enough to make more aggressive network security improvements cost effective,” Clementelli added. “Essentially, onerous penalties would raise net security as a C-suite priority.”