JPMorgan Chase was one of the latest Fortune 500 companies to fall victim to an electronic attack in 2014. On Aug. 28, the company said it was the target of a broad-scale attack which, based on its alleged complexity and breadth, may well have been state-sponsored. Bank records were altered and deleted, potentially impacting thousands of bank customers. It also appears that up to seven different institutions may have been affected by the same attacks.
This attack's success is not because JPMorgan Chase failed to implement a quality information security program. JPMorgan Chase CEO Jamie Dimon publicly stated last April that the firm would have spent $250 million on cybersecurity and will have over one thousand personnel dedicated to information security efforts by the end of 2014. That's not a small information security program, especially when you consider that Google has about 400 people dedicated to security, despite having a much larger Internet-facing footprint than financial institutions.
The fact is, investment and retail banks tend to spend a larger portion of their budgets on information security than other industry sectors do because their technology infrastructure is so extensive, coupled with the fact that they are naturally high-value targets. They hold the money. Of course they are likely to be attacked more frequently.
If banks are spending a lot of money on the problem, why are attackers still succeeding? One reason is because we've seen attackers migrate away from traditional "low-tech" phishing attacks over the past two years. These attacks have not become less prevalent, but they appear to be somewhat less successful. Perhaps efforts to increase security awareness and reporting of suspicious communications among employees are finally starting to pay off.
But in that partial vacuum, a new problem has arisen: there are far more advanced electronic attack vectors that take advantage of a larger footprint of technology, both Internet-facing and inside the organization. As we expand our world of network-connected technologies to include new technologies both past (think mobile devices) to the present (think the "Internet of Things"), and adopt new technologies such as the cloud, the size and scope of what we have to manage—at least from a security perspective—increases astronomically. When organizations started adopting laptops and mobile devices by the pallet back in the 90s and 2000s, security folks warned their organizations that this would mean that the firewall was now no longer the only barrier between their technology and the bad guys. When the cloud started massive adoption in the corporate world five years ago, the same warning was issued: the "network" that needed to be protected was now partially controlled by a completely different party. And with the rise of the "Internet of Things", we're seeing that physical devices that can be compromised will have access inside the network. The corporate firewall has fewer and fewer friends as we expand what it means to be a network.
So what does this have to do with the JPMorgan Chase breach? Well, the JPMorgan Chase case just happens to be a recent successful breach. Last year's Target attack was another example of a surprising attack vector that allowed malware to ingress behind the public boundary firewall—and there will be more... many more. What's most interesting is that, JPMorgan Chase personnel were not alerted through security automation until after accounts had been modified. Essentially, once the attackers breached the door, they were able to compromise the network until they found the data they were after. During that time, it appears that nothing alerted JPMorgan Chase security personnel of unusual activity.
That, unfortunately, points to the modern problem that we face: Information security controls—especially monitoring and blocking controls—are still primarily enforced at the perimeter of the network, while we spend relatively little effort behind the firewall at the server or end point. If we're going to successfully detect and prevent these attacks, either the activity of the malware itself or what it leaves behind should be detectable and reportable long before the confidentiality and integrity of business data is affected.
And that lies at the heart of the problem. There are technologies ranging from data leak prevention (DLP), to PKI-based and multi-factor authentication, to SIEM and event monitoring that can all be used to better track activity of users and processes within technology environments. Today, however, most of these technologies are still used at the perimeter of the network. Unfortunately, they also belong inside the network to monitor individuals and inter-process communications between IT systems. With the adoption of new technologies that extend our trust boundaries, the idea of the "network perimeter" gets really blurred. While it's true that changing where these technologies sit from just the perimeter of the network—whatever that even means these days—to internal networks and systems can add complexity and latency to business applications, organizations need to start weighing the risks: Is it a better value to the business (and its customers) to isolate, monitor, and alert on activities inside the network as diligently as they do at the perimeter, or is it better to simply roll the dice and hope that when they get attacked—and eventually, they will—it simply won't show up in the headlines? Tough choices, indeed.