The latest in this nasty chain of breaches is JP Morgan Chase. Possibly the largest bank in the US. Chase had released a statement on the breach saying that around one million customers had been affected. Not an insignificant number, but small when compared to the ones at Target and Home Depot. Now in a securities filing that was released recently the number has shot up to 76 Million individuals and around seven million small business.
The breach began in June and remained undetected until July giving the attackers a month to dig around into the system. From some of the details that have emerged it seems that the attackers were able to put together a list of applications that Chase commonly uses on their computer systems. Some of these might have been guesses that allowed them to identify multiple exploits and dive in. This is not an uncommon tactic in planning a breach as between multiple applications (web and local) you can often find vulnerabilities that exist in one or more app or even some that show up because you are using two apps together. Flash and older versions of Internet Explorer is one example of how two applications can open a security hole where there might not be one individually.
This careful planning allowed the attackers to hit as many as 90 servers inside the company and also to give themselves what amounted to enterprise level credentials. They had massive access inside the system by the time the security team at Chase even noticed they were there. The depth of the breach is very worrying as they were able to enter and move around without making too much noise. This is not always a common tactic with attackers that want to get in and get out with data. They will setup up additional methods of returning (accounts on different servers, malware or backdoors etc), but in general they are trying to grab the loot and get out. This is what usually tips off the people that are watching the store.
As of this writing Chase is claiming that no money or actual account information was taken and that there has been no evidence of fraud. This is probably not going to alleviate concerns over Chase’s security though as they also originally told the public that only one million people were affected.
Security expenses are typically one of the biggest in any IT budget and not the least of these expenses are properly trained people to keep an eye on things. However, the trend has been to hand some of these duties out to service providers or to reduce the amount of money spent on training in order to keep the budget under control. Because of these factors there can be high turnover in security teams which leads to a very inconsistent state of security. The same thing is happening in the rest of the IT world leaving networks running with different philosophies on security and basic infrastructure. When you roll in pressure from vendors for easier access and executive pressure to keep things simple it is a disaster waiting to happen.
Tell us what you think in our Forum