Are Financial Services Firms Prepared for Cyber Attacks?
It’s been 12 months now since we first learned of the JPMorgan Chase data breach. Only recently, however, has information started to emerge on its perpetrators and their motivations, and some of it has been surprising.
According to a Bloomberg article from July, the cyber attack was largely the work of two “digital misfits” – US citizens Joshua Samuel Aaron and Anthony Murgio – who met at Florida State University and ran a laundry list of scams before breaking into the bank’s servers as part of a stock manipulation scheme. The story has yet to be officially confirmed, but it’s a far cry from the original theory that a foreign government had been involved.
What does this teach us about hacking threats in the financial services industry? Well, it demonstrates that they’re many and varied, and that it doesn’t necessarily take a state-sponsored team to break into what Bloomberg called “the digital version of Fort Knox”.
How Are Financial Services Firms Vulnerable?
Here’s how the magazine described the JPMorgan data breach itself:
“Over almost three months, intruders at JPMorgan had unrestricted access to its main data center, which controls critical functions for the bank and the broader US financial system. They accessed at least 100 servers and stole 40 gigabytes of data, defying the security of a company that spent $250 million to protect its computers in 2014.”
At first glance, this seems like an impressive achievement for just a few people. Digging deeper into the team’s methods, however, shows they took advantage of the same vulnerabilities we’ve seen countless times both inside and outside of the financial services industry.
For one, their entry point onto the bank’s network was a single server on which two-factor authentication wasn’t present. Getting access to one server out of a hundred might not seem like it offers enough scope to compromise 80 million records, but it’s a classic hacking trick to start with a small foothold in an environment and then build on it. This is possible because VPNs and other remote access solutions make it simple for hackers to get beneath the surface and start digging around in the network infrastructure.
The fact the perpetrators in the JPMorgan data breach were able to do this for such a long time isn’t too surprising, either. According to a recent survey from the Ponemon Institute, the financial services industry has a serious problem when it comes to detecting and responding to data breaches in a timely fashion. It found that on average, hackers stick around inside firms’ networks for 98 days – more than three months – before they’re even detected. Once they’ve broken in, they’re practically invisible.
How Can They Prepare Themselves?
The Ponemon survey found that financial services firms aren’t particularly confident about their chances of fixing this problem. Some 58 percent said it was unlikely they’d improve on their response times in the next 12 months.
Nonetheless, the scale of the JPMorgan data breach demonstrates that it’s profoundly important for the industry to act now and close security holes like those detailed above. Despite the staffing and spending JPMorgan invested in network defense, the adversaries was still able to breach its perimeter. The fact is the network perimeter is getting harder to define and harder to defend. That’s why strict control of user access to network assets must be an important component of every company’s cyber defense strategy.
Given the number of high-profile cyber attacks facilitated by phishing attacks, it should be a top priority for financial services firms to prevent hackers from using compromised user accounts to gain a foothold in their networks. Why? Because preventing reconnaissance and lateral movement are the keys to limiting the potential damage of a perimeter breach.
This means swapping VPNs and other outdated technologies with an environment built around the principle of a ‘segment of one’, delivering access to data and applications on a need-only basis and rendering the network infrastructure effectively invisible.
Additionally, they should look to use context – device posture and identity, for example – to define the scope and terms of this access and add additional security parameters dynamically. For example, change or remove the authorization rules associated with a particular user account – or apply extra security measures, automatically and in real-time, depending on the risk attached to the session. Any activity that looks suspicious can be reported immediately, reducing response times to seconds rather than months.
Ask yourself would your organization be susceptible to a cyber attack like the one that hit JPMorgan?
Learn more about Cryptzone’s secure access solution, AppGate, to limit the damage that can be done if an intruder makes their way past your defenses.