1. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015
In the span of three months (June-August 2014),about 83 million
customerrecords had been purged from the databases of JP Morgan
Chase. Of those roughly 83 million customerrecords,76 million were
households and 7 million were for small businesses. The information that
was stolen include customername, physical address,phone numbers,
email addresses,and a table that had customers sorted into categories
such as mortgage type, credit card, or private banking. The attackers were
able to breach more than 90 servers through a zero-day vulnerability on an
overlooked and neglected server. The vulnerability was a neglected server
that had failed to receive a two-factor authentication update and left the
security professionals with no warning, no time to secure assets, no time to
bolsterdefensesand patch holes. The access to the network was granted
through an employee's infectedmachine and resulted in stolen credentials
when the employee loggedinto the one of the many servers hosted by JP
Morgan. The breach was detected when a charity website had
hemorrhaged usernames and passwords and was detected by Hold
Security, Inc. The platforms that were infected include Chase.com,
JPMorganOnline, Chase Mobile, and JPMorgan Mobile and the attack
would have continued to go unnoticed if JP Morgan security personnel had
not been tipped off by Hold Security analysts.
The first topic that JP Morgan learned from this attack was the value
of having a well-educated workforce. It is very important to keep the
frontline strong because ordinary employees are not thinking about the
ramifications of connecting their mobile phone to the company Internet.
They are not thinking about the security risk of having a static password for
an extended period of time. Their focus is not on preventing an infection
from spreading. Ordinary employeeswill panic when something goes
wrong and they are not trained to cope with the stresses. Training does not
need to be a drawn-out process of seminars and lectures, but can be as
simple as providing employees with copies of documentation on how to
deal with unexpected events, as well as who to contact. According to the
SANS Whitepaper1
,social engineering is one of the mostsuccessful
access points for attackers and "is the technique of tricking or manipulating
someone into providing information through the exploitation of human
vulnerabilities. Phishing, spam, mail attachments, or the impersonation of
someone that they're not are some of the popular forms of social
1 Minimizing Damage From J.P. Morgan's Data Breach Page 5-6 (https://www.sans.org/reading-
room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
2. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015
engineering." The SANS Whitepaperalso states that training should be
"…specific,measureable,achievable, realistic and time-based" and should
allow the employeesto aid in the start of the DR plan.
The second topic that J.P. Morgan needed to focus their efforts was
on segregationand protecting critical assets. It is not easy to determine
the level of access neededby each department, or employee,because
there is a fine line betweenusers having little access and functionality
dropping and having a virtually opennetwork with loose user restrictions.
Some middle-ground needs to be determined so everyone stays happy and
the data remains secure. According to the SANS Whitepaper 2
, the goal of
segregationis to "…restrict access to critical segments so that critical
assets are not accessible to everyone on the internal network."
Segregating the network into smaller subsections has multiple advantages.
One major advantage is that it is much easier to manage multiple smaller
segments than one massive group. The more users you are attempting to
monitor, the harder it is to notice abnormal traffic and it is entirely possible
for an attack to go unnoticed in the sea of legitimate traffic. Segregation
also has advantages when DR is taken into account. It is much easier to
shut down a portion of the system than it is to shut down the entire system.
It is much simplerto shut down a VLAN than it is to shut down the entire
system because a VLAN is localized, whereas the entirety of the system
has ramifications that could potentially do more damage than the actual
threat itself. The act of managing many networks is not an easy task and
requires managers who are capable of multitasking and the policies and
procedures onlywork if the employees adhere to them. A company could
have the bestpolicies and procedures in the world, but be completely
vulnerable if the employees do notimplementthose actions. One way to
control how much access a user has is to follow the "LeastPrivilege"
philosophyand give the user as much access as they need to complete
their tasks, but nothing further and nothing exceptwhat they need to work.
Another method of control would be through RBAC (Role-Based Access
Control) and its philosophymandates that only one role at a time can be
open for any specificuser. It also mandates that the previous role is
removed whenever an employee begins a new role. The key is to leave no
lingering roles because a lingering role is a potential access point for an
attacker. J.P. Morgan also failed to protecttheir critical assets,their
2 Minimizing Damage From J.P. Morgan Data Breach (https://www.sans.org/reading-
room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
3. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015
customerdatabase. To their credit, account numbers, social security
numbers, and other extremely sensitive information was kept from the
attacker and the attack was undiscovered foronly about three months.
However, J.P. Morgan was lucky because one of their companionsites
noticed usernames and passwords had been purged from their systems.
The major threat to critical assets is privilege escalation, whether it be
vertical or horizontal. Vertical escalation is essentially achieved through
bufferoverflow and can be stopped with routine patching, keep anti-virus
software up-to-date (as well as the virus signature database), and control
MAC through RBAC. Horizontal Escalation is essentially achieved through
the use of stolen credentials and can be prevented with HIPS and user
education. Another way to protect critical assets is the use of VLAN's and
create an onion-like structure within your network, and each layer of the
onion is a layer of protectionfor your critical assets. VLAN's alone are not
enough however, but can be a great deterrent when coupled with firewalls.
Firewalls are great because they offerexcellent TPC level protectionat
network perimeters as well as the entrances to critical assets.
The third topic that J.P. Morgan should take note is the importance of
monitoring, logging,and scanning and how each can be used, in
conjunction with the others, to protect your systems. Monitoring is very
important because it allows you to detectan intrusion before it can do "real"
harm, and real harm would be an action such as spreading beyond
containment or vertical escalation to obtaining root privilege. Monitoring
can be aided by NIDS (Network-based Intrusion DetectionSystems),but
they tend to be rather expensive and require a dedicated and well-versed
team to monitor the NIDS. While this is not an issue for J.P. Morgan, who
spend $250 million per year on security alone, NIDS and the appropriate
supportare beyond the means of most companies,barring the obvious
Fortune companies. The key to a successfulIDS is an up-to-date and
diverse signature database. Those signatures allow the IDS to determine
what is a threat and what is normal and legitimate traffic. Another positive
aspectof implementing NIDS is the possibilityof detecting zero-day
exploits with a proper and vast signature database. The issue is that
monitoring is useless if you do not have a baseline to compare suspected
traffic against. If you do not know what is supposed to be transmitted, it is
impossible,barring an obvious name like virus.exe or
imheretowreakhavok.exe, to detectan increase, or decrease,in network
activity. Central logging is very important because the logs are the record,
the digital fingerprint, of digital activity. If logs are important enough that
4. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015
attackers focus their attack in a way to avoid detectionand erase their log
entries because a log is a clear indication of an intrusion. However, like
monitoring, logging is useless if you do not know what is abnormal. Logs
are only really useful when you have consistent time stamps because it is
difficultto correlate logs from an IDS,firewall, OS, web logs,and switches
and routers if all devices and logs have differenttimestamps,which is
entirely possible if a device is configured in a differenttime zone. Logs are
not very useful if you only have one log because you have nothing to
compare it against to spotany anomalies. For logging to be effective,
baseline logging from access points,access to critical data, and access to
databases needs to be recorded over a period of time. For Windows
servers, the mostcommongateways are web servers, email servers, and
DMZ servers. Fortunately, companies are not helpless and can take
certain steps to help prevent any attacks. The primary step they can take
is to perform periodic vulnerability scans and routine penetration tests. A
network visibility map can be used by an organization to determine what
exposures and targets are visible on the network and then you can plan out
how to patch the holes. A security administrator should also prioritize and
identify the top 10-15 critical assets and then proceedto focus the majority
of your efforts on those critical assets while the other assets reap the
benefitof the other security measures. Prioritizing the top assets also
helps to stay on track with risk reduction. Another aspectJ.P. Morgan can
improve is by performing small scans instead of one massive, company-
wide scan. Small scans allow you to scan the critical assets without having
to scan the minor details entailed in the macro system. All companies
should understand the value of penetration testing. Penetration testing can
be defined as "..the technique of attempting to gain access to a network
without knowledge of the network itself."3
The goal of penetration testing is
to determine if an attacker can gain access to the network and critical
assets without triggering detectionmechanisms.
The topic as to whether these measures taken, or should be taken,
by J.P. Morgan, should be taken by other companies is more of a question
of the budget and whether the company has the financial resources
available for such a focused and specialized craft. Obviously, you would
expecta bank or other financial institution to spend more money on
security than a pizzeria, but not many companies can afford to spend $250
3 Minimizing Damage From J.P. Morgan Data Breach (https://www.sans.org/reading-
room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822)
5. Gerry Zapantis JPMorgan Chase Data Breach 4/25/2015
million on security alone. Some cost-effective alternatives include the use
of honeypot access points,periodic pen testing, and employee education.
Honeypot AP's are brilliant because you establish one and they are
configured to look like a normal AP. It is a wonderfully simple,yet
elaborate, trap in which the only traffic that would traverse the honeypot AP
is an attacker or an anonymous user, both can cause serious issues in their
own way. Periodic penetration testing allows you to frequently check to
see if your defenseshave any obvious and some not-so-obvious
vulnerabilities that an attacker could potentially use against you. Above all,
there is no defense like a workforce who understands the dangers lurking
on the Internet and the various socialengineering threats. While
centralized logging is very useful when used properly,it is rather expensive
to implementand maintain. If you do not have the resources to utilize the
logging to its fullest and have a team dedicated to centralized logging,it is
not worth the time or the money and will be the equivalent of a wet noodle.
While the Whitepapercontained a large amount of useful information,
I did not find a satisfactoryexplanation to two-factor authentication and
sought outside resources to help explain it in more detail or take a different
approach to explaining it. The first article was from treatpost.com4
,and it
describestwo-factorauthentication as "..a user logs in with their chosen
name and password, and then must use a second form of authentication
such as software or hard token, or PIN sent to a mobile or landline." The
second article was from computerworld.com5
,and it described two-factor
authentication as "…combines the use of static passwords with one-time-
use access codes generated by physical hardware devices or mobile
apps." The third article was from esecurityplanet.com6
,and I believe it
offers a perfectsummary to the problem of compromisedcredentials. It
states that "…until companies divorce the belief that users and accounts
are the same thing, and begin monitoring account usage, vigilantly
searching for compromisedaccount usage, this trend of breaches will
continue."
4 Two-Factor Snafu Opened Door to JPMorgan Breach (https://threatpost.com/two-factor-snafu-opened-
door-to-jpmorgan-breach/110119)
5 Two-Factor Authentication Oversight Led to JPMorgan Breach
(http://www.computerworld.com/article/2862578/twofactor-authentication-oversight-led-to-jpmorgan-
breach-investigators-reportedly-found.html)
6 Entry Point Identified for JPMorgan Chase Breach (http://www.esecurityplanet.com/network-
security/entry-point-identified-for-jpmorgan-chase-breach.html)