Key Security Takeaways for European Financial Institutions
By Mathew J. Schwartz, October 13, 2014. Follow Mathew J. @euroinfosec
The breach of financial giant JPMorgan Chase in the United States poses difficult questions for the financial services industry. Namely, if hackers can infiltrate Chase, is any financial institution safe?
JPMorgan Chase has confirmed that the breach affected personal information, such as e-mail addresses, tied to 76 million U.S. households as well as 7 million businesses.
With news of the breach still trickling in, information security experts weigh in on the Chase breach implications for financial services firms located in Europe:
1. Everyone is a TargetOne breach fact - for any financial institution, anywhere in the world - is that they're a potential target, says Alan Woodward, a professor in the Department of Computing at the U.K.'s University of Surrey, as well as a cybersecurity adviser to Europol. "The U.K. banks have recognized for some time that this is the case - the Bank of England has been running simulations with the banks to test out defenses. But sadly, as we all know, the bad guys only need to get through once to cause a problem."
Dublin-based cybersecurity consultant Brian Honan, who heads Ireland's computer security incident response team, notes: "No matter how effective your security program is, there will always be risks."
So information security experts recommend businesses focus resources on preventing hacks as well as quickly detecting intrusions, rapidly remediating breaches, and always staying abreast of the latest changes - both offensive and defensive. "Banks, and all organizations, should conduct regular risk assessments taking into account the latest developments in threats and cybercrime capabilities," Honan says.
That's especially important for financial institutions around the world, given the preponderance of legacy systems in their IT environments, says London-based Gavin Millard, the European, Middle East and Africa technical director at Tenable Network Security. "It is also critical that organizations continuously monitor their infrastructure for vulnerable and weakly configured systems to identify any springboard into the network that could be utilized to gain further access and exfiltrate sensitive data," he says. "If a legacy system - of which there are many at banks and financial institutes - can't be upgraded, appropriate compensating controls have to be in place to protect them."
2. Remediate Phishing VulnerabilitiesUnconfirmed details of the JPMorgan Chase investigation suggest the financial institution got hacked after the PC of an employee who was working remotely was exploited (see: Alleged Bank Hack Tied to Phishing). One takeaway from that scenario is that businesses should make sure that employees are not reusing their work username and password on third-party sites. That's because those sites could get hacked, with the credentials obtained and then put to use by attackers to break into corporate environments.
"Organizations need to do more in understanding their extended attack surface and never assume that 'user@CorporateEmail' and 'CorporatePassword' haven't been used elsewhere to create accounts on third-party systems or spear-phished," Millard says. "Pro-actively banning the use of corporate e-mail addresses to sign up to any third party Web services and enforcing good password best practices should be standard for all organizations."
3. Breach Regulations Will Change AwarenessTo date, the majority of breaches - and especially massive data breaches - have involved U.S. organizations, leading some commentators to assume that European organizations are simply more secure. Currently, however, European financial services firms are under no obligation to publicly disclose when their networks get breached. But the EU is considering a new data breach notification law, which would require any business that suffers a breach involving customer data to notify regulators and consumers "without undue delay" (see EU Prepares Tough Breach Notification Law).
But if the law does pass, expect it to reshape notions of how secure - or insecure - financial firms are in Europe, says Jeremy King, international director of the PCI Security Standards Council. "For too long, we've sort of swept the problem under the carpet. It's very interesting - and maybe it's no coincidence - that because of the breach notification rules in the U.S., we hear about these big breaches, and people have this strange thought that it's not happening over here, and that's really because the breaches are happening, but they're not being reported, because we can hide them," he says.
4. Beware of the Blame GameWho hacked JPMorgan Chase? Numerous "sources" - all speaking anonymously - have been cropping up in U.S. media coverage of the Chase breach.
Ignore it, says Jeffrey Carr, CEO of threat-intelligence firm Taia Global. "Public attribution by cybersecurity vendors is usually nothing more than a marketing play where the vendor is hoping to get his company's name mentioned by The New York Times or another major paper by claiming that China or Russia is behind the attack," he says. "Public attribution by U.S. government officials may be done to push their political agenda. Regardless of who is doing it, ill-informed guesswork at who's responsible is always a bad idea because it serves no constructive purpose and provides cover for attackers from other parts of the world who want investigators to look East while they're attacking from the West."
5. Market-Crashing Attacks Remain UnlikelyTo date, no JPMorgan Chase breach commentators have been able to answer this crucial question: What were the Chase hackers seeking? President Obama repeatedly asked this question of his briefing team, and no one could provide him with a solid answer, The Times reports.
But Carr says the hackers likely were not trying to crash financial markets. "JPMorgan and other international banks are vulnerable to attack in countless ways much more serious than this one - attacks by insiders, by trusted vendors, by finding zero-days in hardware, firmware, and software, etc. - and many of those ways would be invisible to their respective security teams," he says. "The fact that the world's biggest banks have avoided any major financial disruption is not because they aren't vulnerable. It's because it's in no one's interest to conduct a breach big enough to start a global panic, which a successful attack against JPMorgan would have done."