SlideShare a Scribd company logo

JP Morgan Paper

Download as DOCX, PDF
G
Gerasimos Zapantis
1 of 5
Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 In the span of three months (June-August 2014),about 83 million customerrecords had been purged from the databases of JP Morgan Chase. Of those roughly 83 million customerrecords,76 million were households and 7 million were for small businesses. The information that was stolen include customername, physical address,phone numbers, email addresses,and a table that had customers sorted into categories such as mortgage type, credit card, or private banking. The attackers were able to breach more than 90 servers through a zero-day vulnerability on an overlooked and neglected server. The vulnerability was a neglected server that had failed to receive a two-factor authentication update and left the security professionals with no warning, no time to secure assets, no time to bolsterdefensesand patch holes. The access to the network was granted through an employee's infectedmachine and resulted in stolen credentials when the employee loggedinto the one of the many servers hosted by JP Morgan. The breach was detected when a charity website had hemorrhaged usernames and passwords and was detected by Hold Security, Inc. The platforms that were infected include Chase.com, JPMorganOnline, Chase Mobile, and JPMorgan Mobile and the attack would have continued to go unnoticed if JP Morgan security personnel had not been tipped off by Hold Security analysts. The first topic that JP Morgan learned from this attack was the value of having a well-educated workforce. It is very important to keep the frontline strong because ordinary employees are not thinking about the ramifications of connecting their mobile phone to the company Internet. They are not thinking about the security risk of having a static password for an extended period of time. Their focus is not on preventing an infection from spreading. Ordinary employeeswill panic when something goes wrong and they are not trained to cope with the stresses. Training does not need to be a drawn-out process of seminars and lectures, but can be as simple as providing employees with copies of documentation on how to deal with unexpected events, as well as who to contact. According to the SANS Whitepaper1 ,social engineering is one of the mostsuccessful access points for attackers and "is the technique of tricking or manipulating someone into providing information through the exploitation of human vulnerabilities. Phishing, spam, mail attachments, or the impersonation of someone that they're not are some of the popular forms of social 1 Minimizing Damage From J.P. Morgan's Data Breach Page 5-6 (https://www.sans.org/reading- room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 engineering." The SANS Whitepaperalso states that training should be "…specific,measureable,achievable, realistic and time-based" and should allow the employeesto aid in the start of the DR plan. The second topic that J.P. Morgan needed to focus their efforts was on segregationand protecting critical assets. It is not easy to determine the level of access neededby each department, or employee,because there is a fine line betweenusers having little access and functionality dropping and having a virtually opennetwork with loose user restrictions. Some middle-ground needs to be determined so everyone stays happy and the data remains secure. According to the SANS Whitepaper 2 , the goal of segregationis to "…restrict access to critical segments so that critical assets are not accessible to everyone on the internal network." Segregating the network into smaller subsections has multiple advantages. One major advantage is that it is much easier to manage multiple smaller segments than one massive group. The more users you are attempting to monitor, the harder it is to notice abnormal traffic and it is entirely possible for an attack to go unnoticed in the sea of legitimate traffic. Segregation also has advantages when DR is taken into account. It is much easier to shut down a portion of the system than it is to shut down the entire system. It is much simplerto shut down a VLAN than it is to shut down the entire system because a VLAN is localized, whereas the entirety of the system has ramifications that could potentially do more damage than the actual threat itself. The act of managing many networks is not an easy task and requires managers who are capable of multitasking and the policies and procedures onlywork if the employees adhere to them. A company could have the bestpolicies and procedures in the world, but be completely vulnerable if the employees do notimplementthose actions. One way to control how much access a user has is to follow the "LeastPrivilege" philosophyand give the user as much access as they need to complete their tasks, but nothing further and nothing exceptwhat they need to work. Another method of control would be through RBAC (Role-Based Access Control) and its philosophymandates that only one role at a time can be open for any specificuser. It also mandates that the previous role is removed whenever an employee begins a new role. The key is to leave no lingering roles because a lingering role is a potential access point for an attacker. J.P. Morgan also failed to protecttheir critical assets,their 2 Minimizing Damage From J.P. Morgan Data Breach (https://www.sans.org/reading- room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 customerdatabase. To their credit, account numbers, social security numbers, and other extremely sensitive information was kept from the attacker and the attack was undiscovered foronly about three months. However, J.P. Morgan was lucky because one of their companionsites noticed usernames and passwords had been purged from their systems. The major threat to critical assets is privilege escalation, whether it be vertical or horizontal. Vertical escalation is essentially achieved through bufferoverflow and can be stopped with routine patching, keep anti-virus software up-to-date (as well as the virus signature database), and control MAC through RBAC. Horizontal Escalation is essentially achieved through the use of stolen credentials and can be prevented with HIPS and user education. Another way to protect critical assets is the use of VLAN's and create an onion-like structure within your network, and each layer of the onion is a layer of protectionfor your critical assets. VLAN's alone are not enough however, but can be a great deterrent when coupled with firewalls. Firewalls are great because they offerexcellent TPC level protectionat network perimeters as well as the entrances to critical assets. The third topic that J.P. Morgan should take note is the importance of monitoring, logging,and scanning and how each can be used, in conjunction with the others, to protect your systems. Monitoring is very important because it allows you to detectan intrusion before it can do "real" harm, and real harm would be an action such as spreading beyond containment or vertical escalation to obtaining root privilege. Monitoring can be aided by NIDS (Network-based Intrusion DetectionSystems),but they tend to be rather expensive and require a dedicated and well-versed team to monitor the NIDS. While this is not an issue for J.P. Morgan, who spend $250 million per year on security alone, NIDS and the appropriate supportare beyond the means of most companies,barring the obvious Fortune companies. The key to a successfulIDS is an up-to-date and diverse signature database. Those signatures allow the IDS to determine what is a threat and what is normal and legitimate traffic. Another positive aspectof implementing NIDS is the possibilityof detecting zero-day exploits with a proper and vast signature database. The issue is that monitoring is useless if you do not have a baseline to compare suspected traffic against. If you do not know what is supposed to be transmitted, it is impossible,barring an obvious name like virus.exe or imheretowreakhavok.exe, to detectan increase, or decrease,in network activity. Central logging is very important because the logs are the record, the digital fingerprint, of digital activity. If logs are important enough that
Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 attackers focus their attack in a way to avoid detectionand erase their log entries because a log is a clear indication of an intrusion. However, like monitoring, logging is useless if you do not know what is abnormal. Logs are only really useful when you have consistent time stamps because it is difficultto correlate logs from an IDS,firewall, OS, web logs,and switches and routers if all devices and logs have differenttimestamps,which is entirely possible if a device is configured in a differenttime zone. Logs are not very useful if you only have one log because you have nothing to compare it against to spotany anomalies. For logging to be effective, baseline logging from access points,access to critical data, and access to databases needs to be recorded over a period of time. For Windows servers, the mostcommongateways are web servers, email servers, and DMZ servers. Fortunately, companies are not helpless and can take certain steps to help prevent any attacks. The primary step they can take is to perform periodic vulnerability scans and routine penetration tests. A network visibility map can be used by an organization to determine what exposures and targets are visible on the network and then you can plan out how to patch the holes. A security administrator should also prioritize and identify the top 10-15 critical assets and then proceedto focus the majority of your efforts on those critical assets while the other assets reap the benefitof the other security measures. Prioritizing the top assets also helps to stay on track with risk reduction. Another aspectJ.P. Morgan can improve is by performing small scans instead of one massive, company- wide scan. Small scans allow you to scan the critical assets without having to scan the minor details entailed in the macro system. All companies should understand the value of penetration testing. Penetration testing can be defined as "..the technique of attempting to gain access to a network without knowledge of the network itself."3 The goal of penetration testing is to determine if an attacker can gain access to the network and critical assets without triggering detectionmechanisms. The topic as to whether these measures taken, or should be taken, by J.P. Morgan, should be taken by other companies is more of a question of the budget and whether the company has the financial resources available for such a focused and specialized craft. Obviously, you would expecta bank or other financial institution to spend more money on security than a pizzeria, but not many companies can afford to spend $250 3 Minimizing Damage From J.P. Morgan Data Breach (https://www.sans.org/reading- room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 million on security alone. Some cost-effective alternatives include the use of honeypot access points,periodic pen testing, and employee education. Honeypot AP's are brilliant because you establish one and they are configured to look like a normal AP. It is a wonderfully simple,yet elaborate, trap in which the only traffic that would traverse the honeypot AP is an attacker or an anonymous user, both can cause serious issues in their own way. Periodic penetration testing allows you to frequently check to see if your defenseshave any obvious and some not-so-obvious vulnerabilities that an attacker could potentially use against you. Above all, there is no defense like a workforce who understands the dangers lurking on the Internet and the various socialengineering threats. While centralized logging is very useful when used properly,it is rather expensive to implementand maintain. If you do not have the resources to utilize the logging to its fullest and have a team dedicated to centralized logging,it is not worth the time or the money and will be the equivalent of a wet noodle. While the Whitepapercontained a large amount of useful information, I did not find a satisfactoryexplanation to two-factor authentication and sought outside resources to help explain it in more detail or take a different approach to explaining it. The first article was from treatpost.com4 ,and it describestwo-factorauthentication as "..a user logs in with their chosen name and password, and then must use a second form of authentication such as software or hard token, or PIN sent to a mobile or landline." The second article was from computerworld.com5 ,and it described two-factor authentication as "…combines the use of static passwords with one-time- use access codes generated by physical hardware devices or mobile apps." The third article was from esecurityplanet.com6 ,and I believe it offers a perfectsummary to the problem of compromisedcredentials. It states that "…until companies divorce the belief that users and accounts are the same thing, and begin monitoring account usage, vigilantly searching for compromisedaccount usage, this trend of breaches will continue." 4 Two-Factor Snafu Opened Door to JPMorgan Breach (https://threatpost.com/two-factor-snafu-opened- door-to-jpmorgan-breach/110119) 5 Two-Factor Authentication Oversight Led to JPMorgan Breach (http://www.computerworld.com/article/2862578/twofactor-authentication-oversight-led-to-jpmorgan- breach-investigators-reportedly-found.html) 6 Entry Point Identified for JPMorgan Chase Breach (http://www.esecurityplanet.com/network- security/entry-point-identified-for-jpmorgan-chase-breach.html)

Recommended

Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalJerome Chapolard
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaperAlan Rudd
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalShallu Behar-Sheehan FCIM
 

Recommended

Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalJerome Chapolard
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaperAlan Rudd
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalShallu Behar-Sheehan FCIM
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integrationMarco Essomba
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromiseCMR WORLD TECH
 
Insider threat
Insider threatInsider threat
Insider threatARCON TECHSOLUTIONS
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
 
CTI Report
CTI ReportCTI Report
CTI ReportAlex Deac
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlJose Lopez
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemEnterprise Technology Management (ETM)
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insidersgjohansen
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Retail
Retail Retail
Retail CMR WORLD TECH
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA PresentationMarc Crudgington, MBA
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
QS - CV
QS - CVQS - CV
QS - CVmohammed tahseenuddin
 
Ebook fqg-7habitos
Ebook fqg-7habitosEbook fqg-7habitos
Ebook fqg-7habitosMercedes Vazquez Alvarez
 

More Related Content

What's hot

Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integrationMarco Essomba
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromiseCMR WORLD TECH
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlJose Lopez
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insidersgjohansen
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 

What's hot (20)

Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digital
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integration
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
Insider threat
Insider threatInsider threat
Insider threat
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider Threat
 
CTI Report
CTI ReportCTI Report
CTI Report
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat Control
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent Them
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insiders
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
Retail
Retail Retail
Retail
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 

Viewers also liked

2015 dk system catalog(exhaust mufflers&tips)
2015 dk system catalog(exhaust mufflers&tips)2015 dk system catalog(exhaust mufflers&tips)
2015 dk system catalog(exhaust mufflers&tips)MOCO APPLIANCE CHINA
 
Moch Anis - CV rev 2 (1)
Moch Anis - CV rev 2 (1)Moch Anis - CV rev 2 (1)
Moch Anis - CV rev 2 (1)Mochammad Anis
 
Obi Fox Can Beat Huawei in Kenya
Obi Fox Can Beat Huawei in KenyaObi Fox Can Beat Huawei in Kenya
Obi Fox Can Beat Huawei in Kenyasmartphonebrands
 
Trainingday 2016
Trainingday 2016Trainingday 2016
Trainingday 2016edwingon85
 
Global Forecast Q3 by G4S Risk Consulting
Global Forecast Q3 by G4S Risk ConsultingGlobal Forecast Q3 by G4S Risk Consulting
Global Forecast Q3 by G4S Risk ConsultingWendy Cheshire
 
Boulder County Assistance Site Strategic Outreach Plan_1125
Boulder County Assistance Site Strategic Outreach Plan_1125Boulder County Assistance Site Strategic Outreach Plan_1125
Boulder County Assistance Site Strategic Outreach Plan_1125Amy Reddy
 
Neuropathy and Plantar Fasciitis
Neuropathy and Plantar FasciitisNeuropathy and Plantar Fasciitis
Neuropathy and Plantar FasciitisNathan Brennan
 
Polychrome sculpture
Polychrome sculpturePolychrome sculpture
Polychrome sculptureMark Porter
 
Who am i (quién soy)
Who am i (quién soy)Who am i (quién soy)
Who am i (quién soy)edwingon85
 
Decoding Encoding with Heksadesimal
Decoding Encoding with HeksadesimalDecoding Encoding with Heksadesimal
Decoding Encoding with HeksadesimalArifRohman99
 
Perkalian belasan ala india
Perkalian belasan ala indiaPerkalian belasan ala india
Perkalian belasan ala indiaevinovitasari
 

Viewers also liked (20)

QS - CV
QS - CVQS - CV
QS - CV
 
Ebook fqg-7habitos
Ebook fqg-7habitosEbook fqg-7habitos
Ebook fqg-7habitos
 
Fundraising from a Former Funder's Perspective
Fundraising from a Former Funder's PerspectiveFundraising from a Former Funder's Perspective
Fundraising from a Former Funder's Perspective
 
2015 dk system catalog(exhaust mufflers&tips)
2015 dk system catalog(exhaust mufflers&tips)2015 dk system catalog(exhaust mufflers&tips)
2015 dk system catalog(exhaust mufflers&tips)
 
Moch Anis - CV rev 2 (1)
Moch Anis - CV rev 2 (1)Moch Anis - CV rev 2 (1)
Moch Anis - CV rev 2 (1)
 
Obi Fox Can Beat Huawei in Kenya
Obi Fox Can Beat Huawei in KenyaObi Fox Can Beat Huawei in Kenya
Obi Fox Can Beat Huawei in Kenya
 
CV_Basavanagowda
CV_BasavanagowdaCV_Basavanagowda
CV_Basavanagowda
 
Creating a Culture of Engagement
Creating a Culture of EngagementCreating a Culture of Engagement
Creating a Culture of Engagement
 
Trainingday 2016
Trainingday 2016Trainingday 2016
Trainingday 2016
 
Prueba computacion
Prueba computacionPrueba computacion
Prueba computacion
 
Global Forecast Q3 by G4S Risk Consulting
Global Forecast Q3 by G4S Risk ConsultingGlobal Forecast Q3 by G4S Risk Consulting
Global Forecast Q3 by G4S Risk Consulting
 
Boulder County Assistance Site Strategic Outreach Plan_1125
Boulder County Assistance Site Strategic Outreach Plan_1125Boulder County Assistance Site Strategic Outreach Plan_1125
Boulder County Assistance Site Strategic Outreach Plan_1125
 
Alspeed
AlspeedAlspeed
Alspeed
 
SH.DAVIS Resume K
SH.DAVIS Resume KSH.DAVIS Resume K
SH.DAVIS Resume K
 
Neuropathy and Plantar Fasciitis
Neuropathy and Plantar FasciitisNeuropathy and Plantar Fasciitis
Neuropathy and Plantar Fasciitis
 
Polychrome sculpture
Polychrome sculpturePolychrome sculpture
Polychrome sculpture
 
Who am i (quién soy)
Who am i (quién soy)Who am i (quién soy)
Who am i (quién soy)
 
Decoding Encoding with Heksadesimal
Decoding Encoding with HeksadesimalDecoding Encoding with Heksadesimal
Decoding Encoding with Heksadesimal
 
Perkalian belasan ala india
Perkalian belasan ala indiaPerkalian belasan ala india
Perkalian belasan ala india
 
Power point
Power pointPower point
Power point
 

Similar to JP Morgan Paper

Appsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_briefAppsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_briefAppsian
 
Peoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining SecurityPeoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining SecurityAppsian
 
Peoplesoft Erp
Peoplesoft ErpPeoplesoft Erp
Peoplesoft ErpAppsian
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperRudy Piekarski
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementGFI Software
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecCMR WORLD TECH
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 

Similar to JP Morgan Paper (20)

Appsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_briefAppsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_brief
 
Peoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining SecurityPeoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining Security
 
Peoplesoft Erp
Peoplesoft ErpPeoplesoft Erp
Peoplesoft Erp
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaper
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
Measures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacksMeasures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacks
 
Measure To Avoid Cyber Attacks
Measure To Avoid Cyber AttacksMeasure To Avoid Cyber Attacks
Measure To Avoid Cyber Attacks
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an Organization
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
 

JP Morgan Paper

  • 1. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 In the span of three months (June-August 2014),about 83 million customerrecords had been purged from the databases of JP Morgan Chase. Of those roughly 83 million customerrecords,76 million were households and 7 million were for small businesses. The information that was stolen include customername, physical address,phone numbers, email addresses,and a table that had customers sorted into categories such as mortgage type, credit card, or private banking. The attackers were able to breach more than 90 servers through a zero-day vulnerability on an overlooked and neglected server. The vulnerability was a neglected server that had failed to receive a two-factor authentication update and left the security professionals with no warning, no time to secure assets, no time to bolsterdefensesand patch holes. The access to the network was granted through an employee's infectedmachine and resulted in stolen credentials when the employee loggedinto the one of the many servers hosted by JP Morgan. The breach was detected when a charity website had hemorrhaged usernames and passwords and was detected by Hold Security, Inc. The platforms that were infected include Chase.com, JPMorganOnline, Chase Mobile, and JPMorgan Mobile and the attack would have continued to go unnoticed if JP Morgan security personnel had not been tipped off by Hold Security analysts. The first topic that JP Morgan learned from this attack was the value of having a well-educated workforce. It is very important to keep the frontline strong because ordinary employees are not thinking about the ramifications of connecting their mobile phone to the company Internet. They are not thinking about the security risk of having a static password for an extended period of time. Their focus is not on preventing an infection from spreading. Ordinary employeeswill panic when something goes wrong and they are not trained to cope with the stresses. Training does not need to be a drawn-out process of seminars and lectures, but can be as simple as providing employees with copies of documentation on how to deal with unexpected events, as well as who to contact. According to the SANS Whitepaper1 ,social engineering is one of the mostsuccessful access points for attackers and "is the technique of tricking or manipulating someone into providing information through the exploitation of human vulnerabilities. Phishing, spam, mail attachments, or the impersonation of someone that they're not are some of the popular forms of social 1 Minimizing Damage From J.P. Morgan's Data Breach Page 5-6 (https://www.sans.org/reading- room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
  • 2. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 engineering." The SANS Whitepaperalso states that training should be "…specific,measureable,achievable, realistic and time-based" and should allow the employeesto aid in the start of the DR plan. The second topic that J.P. Morgan needed to focus their efforts was on segregationand protecting critical assets. It is not easy to determine the level of access neededby each department, or employee,because there is a fine line betweenusers having little access and functionality dropping and having a virtually opennetwork with loose user restrictions. Some middle-ground needs to be determined so everyone stays happy and the data remains secure. According to the SANS Whitepaper 2 , the goal of segregationis to "…restrict access to critical segments so that critical assets are not accessible to everyone on the internal network." Segregating the network into smaller subsections has multiple advantages. One major advantage is that it is much easier to manage multiple smaller segments than one massive group. The more users you are attempting to monitor, the harder it is to notice abnormal traffic and it is entirely possible for an attack to go unnoticed in the sea of legitimate traffic. Segregation also has advantages when DR is taken into account. It is much easier to shut down a portion of the system than it is to shut down the entire system. It is much simplerto shut down a VLAN than it is to shut down the entire system because a VLAN is localized, whereas the entirety of the system has ramifications that could potentially do more damage than the actual threat itself. The act of managing many networks is not an easy task and requires managers who are capable of multitasking and the policies and procedures onlywork if the employees adhere to them. A company could have the bestpolicies and procedures in the world, but be completely vulnerable if the employees do notimplementthose actions. One way to control how much access a user has is to follow the "LeastPrivilege" philosophyand give the user as much access as they need to complete their tasks, but nothing further and nothing exceptwhat they need to work. Another method of control would be through RBAC (Role-Based Access Control) and its philosophymandates that only one role at a time can be open for any specificuser. It also mandates that the previous role is removed whenever an employee begins a new role. The key is to leave no lingering roles because a lingering role is a potential access point for an attacker. J.P. Morgan also failed to protecttheir critical assets,their 2 Minimizing Damage From J.P. Morgan Data Breach (https://www.sans.org/reading- room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
  • 3. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 customerdatabase. To their credit, account numbers, social security numbers, and other extremely sensitive information was kept from the attacker and the attack was undiscovered foronly about three months. However, J.P. Morgan was lucky because one of their companionsites noticed usernames and passwords had been purged from their systems. The major threat to critical assets is privilege escalation, whether it be vertical or horizontal. Vertical escalation is essentially achieved through bufferoverflow and can be stopped with routine patching, keep anti-virus software up-to-date (as well as the virus signature database), and control MAC through RBAC. Horizontal Escalation is essentially achieved through the use of stolen credentials and can be prevented with HIPS and user education. Another way to protect critical assets is the use of VLAN's and create an onion-like structure within your network, and each layer of the onion is a layer of protectionfor your critical assets. VLAN's alone are not enough however, but can be a great deterrent when coupled with firewalls. Firewalls are great because they offerexcellent TPC level protectionat network perimeters as well as the entrances to critical assets. The third topic that J.P. Morgan should take note is the importance of monitoring, logging,and scanning and how each can be used, in conjunction with the others, to protect your systems. Monitoring is very important because it allows you to detectan intrusion before it can do "real" harm, and real harm would be an action such as spreading beyond containment or vertical escalation to obtaining root privilege. Monitoring can be aided by NIDS (Network-based Intrusion DetectionSystems),but they tend to be rather expensive and require a dedicated and well-versed team to monitor the NIDS. While this is not an issue for J.P. Morgan, who spend $250 million per year on security alone, NIDS and the appropriate supportare beyond the means of most companies,barring the obvious Fortune companies. The key to a successfulIDS is an up-to-date and diverse signature database. Those signatures allow the IDS to determine what is a threat and what is normal and legitimate traffic. Another positive aspectof implementing NIDS is the possibilityof detecting zero-day exploits with a proper and vast signature database. The issue is that monitoring is useless if you do not have a baseline to compare suspected traffic against. If you do not know what is supposed to be transmitted, it is impossible,barring an obvious name like virus.exe or imheretowreakhavok.exe, to detectan increase, or decrease,in network activity. Central logging is very important because the logs are the record, the digital fingerprint, of digital activity. If logs are important enough that
  • 4. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 attackers focus their attack in a way to avoid detectionand erase their log entries because a log is a clear indication of an intrusion. However, like monitoring, logging is useless if you do not know what is abnormal. Logs are only really useful when you have consistent time stamps because it is difficultto correlate logs from an IDS,firewall, OS, web logs,and switches and routers if all devices and logs have differenttimestamps,which is entirely possible if a device is configured in a differenttime zone. Logs are not very useful if you only have one log because you have nothing to compare it against to spotany anomalies. For logging to be effective, baseline logging from access points,access to critical data, and access to databases needs to be recorded over a period of time. For Windows servers, the mostcommongateways are web servers, email servers, and DMZ servers. Fortunately, companies are not helpless and can take certain steps to help prevent any attacks. The primary step they can take is to perform periodic vulnerability scans and routine penetration tests. A network visibility map can be used by an organization to determine what exposures and targets are visible on the network and then you can plan out how to patch the holes. A security administrator should also prioritize and identify the top 10-15 critical assets and then proceedto focus the majority of your efforts on those critical assets while the other assets reap the benefitof the other security measures. Prioritizing the top assets also helps to stay on track with risk reduction. Another aspectJ.P. Morgan can improve is by performing small scans instead of one massive, company- wide scan. Small scans allow you to scan the critical assets without having to scan the minor details entailed in the macro system. All companies should understand the value of penetration testing. Penetration testing can be defined as "..the technique of attempting to gain access to a network without knowledge of the network itself."3 The goal of penetration testing is to determine if an attacker can gain access to the network and critical assets without triggering detectionmechanisms. The topic as to whether these measures taken, or should be taken, by J.P. Morgan, should be taken by other companies is more of a question of the budget and whether the company has the financial resources available for such a focused and specialized craft. Obviously, you would expecta bank or other financial institution to spend more money on security than a pizzeria, but not many companies can afford to spend $250 3 Minimizing Damage From J.P. Morgan Data Breach (https://www.sans.org/reading- room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
  • 5. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015 million on security alone. Some cost-effective alternatives include the use of honeypot access points,periodic pen testing, and employee education. Honeypot AP's are brilliant because you establish one and they are configured to look like a normal AP. It is a wonderfully simple,yet elaborate, trap in which the only traffic that would traverse the honeypot AP is an attacker or an anonymous user, both can cause serious issues in their own way. Periodic penetration testing allows you to frequently check to see if your defenseshave any obvious and some not-so-obvious vulnerabilities that an attacker could potentially use against you. Above all, there is no defense like a workforce who understands the dangers lurking on the Internet and the various socialengineering threats. While centralized logging is very useful when used properly,it is rather expensive to implementand maintain. If you do not have the resources to utilize the logging to its fullest and have a team dedicated to centralized logging,it is not worth the time or the money and will be the equivalent of a wet noodle. While the Whitepapercontained a large amount of useful information, I did not find a satisfactoryexplanation to two-factor authentication and sought outside resources to help explain it in more detail or take a different approach to explaining it. The first article was from treatpost.com4 ,and it describestwo-factorauthentication as "..a user logs in with their chosen name and password, and then must use a second form of authentication such as software or hard token, or PIN sent to a mobile or landline." The second article was from computerworld.com5 ,and it described two-factor authentication as "…combines the use of static passwords with one-time- use access codes generated by physical hardware devices or mobile apps." The third article was from esecurityplanet.com6 ,and I believe it offers a perfectsummary to the problem of compromisedcredentials. It states that "…until companies divorce the belief that users and accounts are the same thing, and begin monitoring account usage, vigilantly searching for compromisedaccount usage, this trend of breaches will continue." 4 Two-Factor Snafu Opened Door to JPMorgan Breach (https://threatpost.com/two-factor-snafu-opened- door-to-jpmorgan-breach/110119) 5 Two-Factor Authentication Oversight Led to JPMorgan Breach (http://www.computerworld.com/article/2862578/twofactor-authentication-oversight-led-to-jpmorgan- breach-investigators-reportedly-found.html) 6 Entry Point Identified for JPMorgan Chase Breach (http://www.esecurityplanet.com/network- security/entry-point-identified-for-jpmorgan-chase-breach.html)