So, a bunch of US financial institutes have been hacked. Nothing new there, if we are being brutally honest. The newsworthyness in this particular case comes courtesy of one of those organisations apparently being none other than JP Morgan Chase. USA Today reported yesterday that a federal law enforcement official had told the media outlet, unofficially, that Russian hackers were behind the series of breaches which resulted in the loss of "sensitive data." JP Morgan Chase did not confirmed the accuracy of the report, but a spokesperson did tell USA Today that it uses "multiple layers of defense to counteract any threats" and "constantly monitor fraud levels." Which is about as helpful as a bucket of mud to clean the floor with. The FBI were a little more forthcoming, admitting that it is working with the secret service in order to determine the scope of "cyber attacks against several American financial institutions."
So what do we know about what happened? The answer, as you might have expected by now, is very little. That hasn't stopped the security industry from lining up to provide DaniWeb with some guesses though.
Philip Lieberman, CEO of Lieberman Software says that the ability to overcome the typical financial defense-in-depth strategy outlined by JP Morgan "points to capabilities that go beyond criminal activity and are in the realm of nation state capabilities" and warns that most of the financial services sector has "little to no protection from nation state attacks and is not willing to spend the money to protect themselves, nor do they have senior leadership capable of redesigning their organizations for secure operation against nation states."
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs says reports suggest that a "Zero Day exploit utilized against an internet facing system" or "the exploitation of an unsecured employee to gain access to a secured network via a virtual private network" were likely the entry points in this series of attacks. "Attackers know that directly attacking security systems is never a smart move considering the current security stance most organizations take" he said, continuing "however utilizing the weak link or employees who fail to follow common security practices and are given too much access to secure systems allows attackers to basically detour the defenses put in place and instead navigate with little to no resistance."
Eric Chiu, president & co-founder of HyTrust, meanwhile is scared as the attack "highlights the fact that outside attackers are sophisticated and well -funded, and that every organization is a target for breach."
Alex Fidgen, director of MWR InfoSecurity reckons the CBEST scheme launched by the Bank of England could be a way to reduce the fear factor. CBEST is a formal assessment structure being implemented by regulators to gauge and assess risk. "The fact that such schemes are being implemented shows the importance and significance that countries like the US and the UK are placing on establishing greater degrees of cyber resilience" Fidgen says "but it would also be fair to acknowledge that we are still in the very early stages of understanding the risk that disruptive cyber-attacks would pose, and this area will only continue to become more critical as time elapses."
Amichai Shulman, CTO Imperva, focuses on who did the attacking and reckons that the apparent lack of financial loss would suggest a politically motivated group. "This is very different from the alleged Iranian attacks earlier in 2012 and late 2013 that were purely of a denial-of-service nature" Shulman explains, continuing "I find it odd that someone who was actually able to break into a bank is not using it for making immediate profit." Shulman points towards two possibilities: first is that there are missing pieces in the puzzle (i.e. we are not being told everything) and second is that these were indeed politically motivated hackers.
"Everyone is trying hard to tie this with the whole political situation with Russia" Shulman concludes "However, it is well known that for a few years now, a large portion of banking attacks and financially related hacking has consistently been coming from Eastern Europe."
To sum up then, according to Philip Lieberman, the lesson to be learned is that the financial services sector needs to up its cyber security game to move up from commercial security to military level security. "Most banks are focused on obtaining passing grades from internal and government cyber security auditors" he warns "but fail to place enough emphasis on the real and constant threats from the outside."