JP Morgan Hack

Simple Security Measures Could Have Prevented JP Morgan Hack

1 comment

A JP Morgan employee’s personal computer was used to breach the banks network, according to a Wall Street Journal report on Thursday. Access to the PC enabled intruders “to leapfrog to additional data because the machine accessed had administrative privileges.”

There are now at least 13 other financial institutions linked to the security breach at JP Morgan. It was originally reported the hackers only targeted five banks. A source close to the investigation told Businessweek that computers used by hackers in the JP Morgan attack were linked to other possible probes at various financial institutions.

Companies now named in the investigation include Citgroup Inc., HSBC, E*Trade, Regions Financial and Automatic Data Processing. Signs of intrusion were detected but stopped by technology that was already in place. Last week, JP Morgan reported in a regulatory filing that over 76 million customer accounts were affected by the intrusion.

Multiple law enforcement agencies are now investigating including the Federal Bureau of Investigation, National Security Agency, Department of Homeland Security, US Attorney’s office in Manhattan and New York’s Department of Financial Services.

Having measures in place to prevent hacking in the first place is the best strategy to prevent leaking sensitive data. In a conversation with the WHIR on Thursday, Andrew Avanessian, EVP of Avecto Consultancy & Technology Services, said there are generally commonalities between the kinds of breaches at companies like JP Morgan, Target and Home Depot. Implementing simple security measures such as administrative privileges and blocking all programs that aren’t whitelisted takes care of most potential security holes. These are among some of the suggestions made by the Council on Cybersecurity.

Avanessian says that many breaches aren’t caused by malware or something that’s been downloaded to machines.

“There’s always a common theme for me that spreads across all of these things; it’s the approaches they take to their security posture which for me is the reason they get breached,” said Avanessian. “The data breaches are simple IT administration tasks that are carried out. Look at Target for example, I think it was like 12 steps the hackers took to breach their environment and only two of those steps actually involved a piece of malware payload been downloaded onto the machine. The rest of the activity was IT administration tasks carried out day in day out by administrators.”

This seems to be exactly the case with JP Morgan since an employee’s computer with administrative privileges was the original source of the breach.

Security Infographic

Security Infographic

“So the key takeaway for me is that what lots of organizations try to do are to be detectives. They try to look for odd activity in the environment, they try to detect the bad guys doing something; which you’re always two, three or more steps behind the bad guy,” Avanessian says. “One of the things we always abdicate, and I’m astounded how many times this holds true in all of these breaches that come out in the media is that you take a proactive approach to security lots of the times these issues these attacks simply would not be the case if those organizations were very proactive about their security rather than reactive.”

For at least some of financial institutions probed, existing security measures prevented the hackers from breaching its network. ADP noticed activity from the same criminals but reported no breach from the scan of its defenses. Others weren’t so lucky. Fidelity reported hacking in relation to the JP Morgan attacks. Fortunately, no customer data was taken.

“We have no indication that any Fidelity customer sites, accounts, information, services or systems were affected by this matter,” a Fidelity spokesman said.

Add Your Comments

  • (will not be published)

One Comment

  1. DoktorThomas™

    This article is mindless dribble, not worth the bytes it consumed on my machine. Simply because one can bank online doesn't mean anyone should. Ever. Air gapping internal services at all junction points is simple and effective to obtain and remain secure when data transport is not left to credentialed mindless twerps occupying desk space just to get a paycheck. If one is not more involved, they don't deserve their position. Hint: share the wealth. No one inside the front door who can access the main frame with their computer device should have any sort of access to the Internet whatsoever. Ditto wireless carriers. None. Zippo. Nada. No one person nor machine should have direct access all 76M accounts nor the associated data. Snail mail is, like most analog devices, not easily crackable. Email is most undesirable and unsafe. If your company or computer are on a local power grid (receiving electricity from a utility power company), you hackable and crackable, despite what ANYONE may tell you. That is the mere tip of available penetrations. What's your body cam policy? IT in general has no idea what it is doing, what is going on and operates strictly in the responsive mode making breech easy. Proactive is the only effective security; nobody has that. Machines can be as complicated and powerful as physics can allow but their security will always pail compared to face-to-face interpersonal transactions. Solution: fire the machines. In the end, computers are merely toys... ©2014 Doktor Thomas™. All rights reserved. This material may not be used, published, broadcast, rewritten, paraphrased, nor redistributed without written permission. All statutory exemptions/exceptions specifically revoked by author. Protected by Amendment, Federal law and international treaty. For educational use only--not intended as legal, medical, accounting, tax, financial or other advice; for readers to use as such violates TOS and may entail imposition of financial penalty and other sanctions. Limited license granted for use on