Hacker Attack on Banks Shows Need to Lock Down Employee PCs
All banks, regardless of size, must invest more in technology despite shareholder pressure to cut costs, said Victor Nichols, a former CIO at Wells Fargo and current director at Bank of Hawaii.
Russian hackers attacked JPMorgan Chase and at least four other banks this month in a coordinated assault that resulted in the loss of gigabytes of customer data, according to two people familiar with the investigation.
Boards at community banks are being asked to have greater oversight of cybersecurity issues as data breaches continue to mount. The challenge is balancing such work with other demands.
The Department of Homeland Security has sounded an alarm about Backoff, a relatively new type of malware. The warning was directed mainly at retailers' point-of-sale networks, but banks are also susceptible.
It is every CEO's nightmare: you wake up to screaming headlines that your company's computer system has been hacked.
The full story behind, and the threat posed by, a hacker attack on JPMorgan Chase and other banks were still fuzzy as the news coverage roared Thursday.
But if even some of the reported details are correct, the episode sends three important warnings to banks about: the increasing power of malware attacks, the vulnerability of employees and their home personal computers to phishing and other attacks, and the ability hackers seem to have to roam freely around banks' networks once they have broken through the front door.
Hackers reportedly siphoned off gigabytes of data, including checking and savings account information, in a series of coordinated attacks this month on JPMorgan.
The hackers broke into the bank's network through the personal computer of an employee who was working from home, according to The Wall Street Journal. From there, the intruders reportedly were able to move further throughout the network, possibly through the employee's virtual-private-network connection.
"The weak link in this case is an employee, as their personal computer got infected with malware, and we can guess how that happened," said Stu Sjouwerman, CEO of security consulting firm KnowBe4. "They clicked on a link or were social engineered to open up an attachment that carried a malicious payload. The human is the weak link in IT security, and this latest data breach again shows how true this is."
Avivah Litan, vice president of Gartner and a close follower of security events in the financial services industry, cautioned against any overreaction to the news. The realistic goal of security is to prevent or minimize damage, she said.
"Hackers are always probing bank systems," she said. "They have probably been in there for years, and there have probably been multiple actors, ranging from financial hackers to state-sponsored cyberspies."
Banks' safeguards should be able to catch and shut down any financial crimes, such as fake wire transfers, that result from this data breach, Litan said.
"Large financial services companies can protect their, and our, financial assets such that a massive robbery cannot take place," she said. "And it's safe to assume information is no longer confidential, and we just have to compensate for that by preventing the use of stolen information for illicit purposes. It's just the new world order."
JPMorgan has not seen "unusual" fraud activity, spokeswoman Trish Wexler said Thursday in an email.
The bank has committed to spend more than $250 million a year on cybersecurity and to have 1,000 workers focused on cybersecurity by the end of 2014.
An FBI official confirmed that the agency is conducting an investigation at multiple banks but shared few other details.
"We are working with the United States Secret Service to determine the scope of recently reported cyberattacks against several American financial institutions," Joshua Campbell, the supervisory special agent at the FBI's national press office, said in an email.
STEPS TO TAKE
In the meanwhile, banks of all sizes are seeking tips about how to defend themselves.
"There are many things that can be done, in terms of constant monitoring or administration of the system to prevent access to sites," said Victor Nichols, a director at Bank of Hawaii and a former chief information officer at Wells Fargo. "It's all a bit intrusive. Limiting team members' connectivity into an environment is necessary."
He noted that employee security training needs to vigilantly remind employees what they should be looking for, and that banks need to carefully manage vendors' access to their networks.
Samuel Visner, a senior vice president at security consulting firm ICF International, pointed out that banks need to continuously monitor network activity. Visner speculated that the hackers compromised the administrative privileges of a program operator and that the targeted organizations lacked the governance, risk and compliance capabilities necessary to monitor the use of those privileges, so the compromise went undetected and unquestioned.
"When you have gigabytes of data go across the wire unnoticed until it's too late, that supports that theory," said Bill Christman, vice president of the cybersecurity line of business at ICF.
Visner also theorized that the attackers conducted disciplined reconnaissance to find out who had administration privileges, the security of their home network and how they connected to the banks.
Some reports have suggested the hackers started with a broad phishing attack. There was, in fact, a massive phishing attack reported against JPMorgan on Aug. 21.
But such an approach would be inefficient, Visner argued. "We've seen that kind of opportunistic approach, but from an efficiency perspective, I can be more efficient by going right to that person. Phishing attacks are not uncommon," he said.
The earlier phishing attack, in fact, could have been a smokescreen for the cybertheft.
"If I want to go undetected, the more noise I make, the better off I am, because then your analysts are going to be looking elsewhere when behind the scenes I'm doing something to your networks," Christman said.
The key takeaway for banks and other potential targets of such attacks, according to Bob Olson, the head of the global financial services practice at Unisys, is that even when hackers break in, there should be impediments to traversing the entire network.
Several security measures would help here, he said.
One is stronger authentication, such as requiring users to present tokens or biometric evidence of their identity such as a facial scan or thumbprint.
Second is limiting users' access to data and programs, so they have access only to what they absolutely need and sensitive information is "cloaked" or hidden from most users.
Third is collecting enough information about network activity so that if a user is accessing information throughout the organization, red flags will go up.