A detailed analysis on one of the biggest data breaches in history...What JP Morgan Chase & Co did wrong and proposed mitigation techniques. The data breach at J.P. Morgan Chase is yet another example of how our most sensitive personal information is in danger.
.
1. Case Study: Information Security Risk Analysis on the
Cyberattack on J.P. Morgan Chase & Co.
Written by: Badejo, Victor Oluwajuwon
14th
February, 2016
2. Abstract
In whatis consideredbymanytobe one of the biggestbreachesinhistory, the cyberattackonJPMorgan
Chase & Co in July2014, has leftmanywithquestionsaboutthe overall securityof our cyberspace. The
attack was made publicinSeptember2014 but was discoveredbythe bank'ssecurityteaminlate July
2014, andwas not completelyhalteduntil the middle of August. Thiscase studyshowsinitsanalysis
that over76 Millioncustomeraccounts were exposed whendedicatedcriminals exploitedvulnerabilities
at the Workstation,LAN aswell asRemote accessdomainsof the company’sITinfrastructure.Failure to
turn on twofactor authenticationonaserver,the hackers eventuallygained high-leveladministrative
privilegesintothe bank.Over90 of the bank’sserverswere affected. Giventhe level of sophisticationof
the attack, it isbelieved thatthe attack was plannedformonthsandmay have involvedsome
coordinationorassistance froma foreigngovernment.
Furtheranalysiswere able tohelp narrow downthe breachto thatof confidentiality.It laterbreaks
downthe attack intothreat,vulnerabilityandthreataction.It proposesmitigationtechniques likemore
hardeningof networksystemstoavoidre occurrence.Italsoprovides countermeasureslikesecurity
freeze, todeal withthe riskthatoccurred andto handle future threatsresultingfromthe cyberattack.
The data breach at J.P.Morgan Chase is yetanotherexample of how ourmostsensitivepersonal
informationisindanger.
Key Terms
Confidentiality,cyberattack, workstationdomain,LAN domain, remoteaccessdomain, spearphishing,
boilerplate advice,twofactorauthentication.
3. 1. Introduction
J.P.Morgan Chase & Co. is one of the world'sbiggestbanksthatcontrolstotal assetsworthmore than
$2.59 Trillion. The Companyisengagedininvestmentbanking,financialservicesforconsumerswith
small businesses,commercial banking,financialtransactionprocessingandassetmanagement.J.P.
Morgan Chase'sactivitiesare organizedintofourbusinesssegments.The Company'sConsumer&
CommunityBankingsegment,The Corporate &InvestmentBank,The Commercial Banking(CB) andThe
AssetManagementsegment. (The NewYorkTimesCompany,2008).It is alsothe world’ssixthlargest
bankin termsof total assets.A bankwithsuch a record woulddefinitelybe aprime targetfor
cybercriminals.Byspendingmillionsannuallyonsecurity,the bankhasmaintainedahighlevel of
performance overthe years.
In July2014, the largestbank inthe UnitedStatesfell victimof awell-plannedcyberattack. The hackers
compromisedthe accountsof 76 millionhouseholdsand7millionsmall businesses.“Names,addresses,
phone numbersandemail addressesof the holdersandsmall businessaccounts,83in total, were
exposedwhencomputersystemsatJ.P.Morgan Chase & Co were compromisedbyhackers,makingit
one of the biggestdatabreachesinhistory”(Agrawal,2014).IntrusionwhichbeganinJune andwasn’t
discovered until Julygoestoshow the depthof the breach. “By the time the bank’ssecurityteam
discoveredthe breachinlate July,hackershadalreadyobtainedthe highestlevel of administrative
privilegetodozensof the bank’scomputerservers.”(Silver-Greenberg,2014).The fact that ittook
authoritiessuchatime to detectthe attack showshow vulnerableJ.P.Morganandother financial
institutionsare tocybercrime.
4. 2. Analysis
The cyberattack onJ.P. Morgan exposednew levelsof vulnerabilitiestofinancial institutions.Previous
breachesat bankshad involvedtheftof personal identificationnumbersforATMaccounts,not
burrowingdeepintothe internal workingsof bank’scomputersystems.(Silver-Greenberg,2014).Prior
to the attack, financial institutionswere considered safe because of theirinvestmentsinmitigating
online threatsaswell asintrainingsecuritystaff.Thismade itdifficulttodetectthe breach,asit
exploitedvulnerabilitiesthe companyhadprobablyconsideredasresidual risk.
The hackers were able toobtaina listof applicationsandprogramsthatran onthe bank’scomputers
and createda road map usingvulnerabilitiesintheseprogramsandapplications,asan entrypointinto
the bank’ssystems.The cybercriminalsgainedhighlevelaccessintothe company’ssystems, butthe
bankwas able to detectand stop the hackersbefore theycouldsiphoncustomeraccounts.
2.1 AddressingCIA
Confidentiality
Clearly,the cyberattackonJ.P. Morgan Chase & Co,was a breachof confidentiality. “The hackerswere
able to reviewinformationaboutamillioncustomeraccountsandgain accessto a listof the software
applicationsinstalledonthe bank’scomputers”.(Goldstein,2014).The goal of confidentialityisto
ensure the protectionof private and/orpersonal information, J.P.MorganChase &Co. clearlyfailedto
protectthe informationof itscustomers.
Althoughitmightbe difficulttofindeverylastvulnerabilities,below isbreakdownof the attackinto
threat,vulnerabilityand threataction.
Threat Vulnerability Threat Action
(WorkstationDomain)
(Unintentional
Threats)
Uninformed
Employees(lacking
propersecurity
training)
SessionHijackingasa
resultof Improper
securitymeasures
outdatedpatchingof
programsand
applications
Malware installationdueto
outdatedantivirus
Undetectedand
unauthorizedaccessto
programsand applications
that interactwithservers
on the network through
the workstation
(LAN Domain)
(IntentionalThreats)
Hackers
Failure toupgrade one of
itsnetworkservers
Two factor
authenticationswitched
off on a server
NewPatchesnotapplied
Accessto insecure server
throughwhichfurther
confidentialinformation
was retrieved
Names,Addresses,Phone
numbersand e-mail
addressesof 83 million
account holdershadbeen
exposed
5. The possibilitythatcrooks
mightbe able to produce
more convincingphishing
attacks usingthe stolen
information.
(Remote AccessDomain)
(IntentionalThreats)
Hackers
Failure tocheck login
passwordsforcase
sensitivityonwebsite
Remote accessto the
company’swebsite by
unauthorizeduserswhoin
turn stole valuable
information.
2.2 Addressingthe Typical IT Infrastructure Domains.
2.2.1 WorkstationDomain
The hackers were able toexploitthe vulnerabilitiesatthe workstationdomainandeventuallygained
access to programsand applicationsinstalledonJ.P.Morgan’ssystems.Thisthreatactioncouldhave
beenpossiblethroughsessionhijackingof aninactive user.Once the hackerswere able togetaccessto
the listof programs and applicationsrunningonthe systems,theythencrosscheckedtheseprograms
for furthervulnerabilitiesi.e.securityweaknesses. Itcouldhave alsobeenasa resultof an outdated
anti-viruswhichpermittedamalware tobe installedonthe system.The malware’sfunctioncouldhave
beentoread and recordprogramsand applicationsrunninginthe system.Thisthenbecameanentry
pointintothe company’sservers.
2.2.2 LAN Domain.
The hackers thencontinuedtheirexploitof the networkatthe LAN domain as a resultof vulnerabilities
presentthere aswell aftergaininginitial accessthroughthe workstationdomain. “Hackersbroke into
J.P.Morgan's networkthrougha giantsecurityhole leftopen byafailure toswitchontwo-factor
authenticationonanoverlookedserver.Failedtoupgrade one of itsnetworkservers,meantthataccess
was possible withoutknowingacombinationof apassword and the value of a one-time code.The
workingtheoryisthathackersusedcompromisedaccesstothe insecure serverasa launchpad for
attacks againstmore sensitivesystems.”(Leyden,2014)
At thispoint, the hackersalreadyhada strong footholdwithaccesstologincredentials,highlevel
passwords,aswell asthe listof all programsand applications.The attackcouldtherefore be continued
remotelyanditwasonlya matter of time before the hackerswere able tobreak into90 serversinthe
company,therebygainingaccesstomillionsof customerdetails.
2.2.3 Remote Access Domain.
The website fora corporate challenge organizedbythe bank,whichwas managedbya thirdparty was
attackedas well. “Followingthe bank’sinvestigation,itwasdiscoveredthatthe hackershad
compromisedsome user’s loginandpassworddetailstothe website. Afterthe Corporate Challenge
attack, J.P.Morgan senta letterto some website userssayingthatithad discoveredthathackershad
compromisedlogincredentialsandpasswords.Butthe bankdoesnotbelieve thatthe websiteattack
6. was the entrypointforthe broader intrusionintoJ.P.Morgan’snetwork.”(The New YorkTimes
Company,2008)
The remote accessdomainwas exploitedasaresultof userswhologgedinintothe company’swebsite
fromvariouslocationsfora corporate challenge organizedbythe bank.Although,the claimbythe bank
mightbe true,it alsopointsto the fact that vulnerabilitiesinthe site wasexploitedbyhackerswho used
remote accessas an entrypointto the bank’ssystems.The levelof penetrationiswhatisleftunknown.
Some userscomplainedinthe commentsectionof the New YorkTimespublicationthat,the website
was notcase sensitiveinreceivingpasswords. Accordingtoa particularwoman,“There isan ongoing
securityissue where the application (website)isnotcheckingthe loginpasswordsforcase sensitivity.I
am able to logintomy account irrespective of whetherI enteruppercase or lowercase alphabets. This
isa majorsecurityriskandchase doesn'tseemtohave beenbotheredaboutit.Ihave openedaticket
withcustomerservice buthaven'theardbackfrom them.”
2.3 MitigationTechniques
The vulnerabilities thatwere exploitedcanbe categorized intotwomaingroups.
Disclosure:A situationwhereby unauthorizedusers gainaccesstoinformationorinformation
systems.
Interception:A situationwherebyunauthorizeduserscopyinformationfromserversoron
networks.
The bank couldhave avoidedthe attackif it had considered the following:
i. Employee awareness:More attentionshouldbe giventothe trainingof staff astheyare
more susceptible toreveal personal informationwithoutrealizingit.Regularpractice based
testswouldensure employeesare uptodate withthe vulnerabilitiesassociatedwiththeir
jobs.The hackersmost likelygotthe listof all programsrunningonthe bank’ssystems
throughan employee’sworkcomputer. Betteremployee awarenesscouldhave prevented
disclosure.
ii. Hardeningnetworkoperatingsystemsandnetworkdevices:If properpatcheswere applied
regularly,the level of accessof the attackerscouldhave beenreduce andthe bank would
have avoidedthe breachof itsservers.Failure toswitchontwofactor authentication
shouldn’tbe happeningatsucha large organization.Thisultimatelycouldhave prevented
Interception.
2.3.1 Countermeasures
The analysisclearlyshowsthatthe banksufferedaconfidentialitybreach.The bestwaytomitigate such
a losswouldbe to lookintopossible furtherthreatsthatcouldoccur withthe informationgathered.We
wouldtherefore lookattwomain ways to reduce the impactof the loss.
i. SecurityFreeze
ii. BoilerPlate Advice
7. Security Freeze:“A CreditFreeze,alsoknownasaSecurityFreeze, isawayfor youto have maximum
control of accessto your credit.A more dramatic stepto protectyourcredit.”(TransUnion,2016). A
Securityfreeze wouldbe agoodcountermeasure forcustomersof J.P.Morganaftersuch a hack on the
company. Securityfreezesare basically designedtopreventacreditreportingcompanyfromreleasing
your creditreportwithoutyourconsent. While itinterfereswiththe timelyapprovalof anysubsequent
requestorapplicationyoumake regardinganew loan,credit,mortgage,governmentservicesor
payments, utilities orotherservices,iteliminatesanymonetarylossof the customer’smoneyduring
thisperiod. (SecurityFreeze)
BoilerPlate Advice:Afterthe hack,J.P.Morgan advisedcustomersonitswebsitethatitdoesnot
believetheyneedtochange theirpasswordsoraccount information.Thisseemslike awrongdecision. A
template thatstatesthe waysof protectingthemselvesfromphishingattacks shouldbe distributedto
customers.“Regularlymonitorall of youraccounts;read everytransactiononyourcreditstatement
everymonth;andcheck eachof yourthree creditreportsregularly,whichyouare allowedtodofree at
leastonce a year.” (Bernard,2014)
3. Conclusion
What the hackersare planningto do withthe data fromJ.P. Morgan remainsunknown.The biggestrisk
isthat they will tryto extractmore sensitive informationfromaffectedconsumers. “Itispossible that
the thievescouldsell the J.P.Morgandatato others,whocouldthencombine itwithpubliclyavailable
information,foundthroughcensusdataor social media”,saidPamDixon,executive director atthe
WorldPrivacyForum.What thismeansis thatalthoughthe hack has beendetectedandstopped,
customersof J.P.Morgan are still likely tobe victimsof spearphishing.
3.1 SilverLining
Despite the factthat over76 millionaccountswere affectedbythe hack,there are still some positivesto
note. A good pointto note,isthe fact that no monetarylosswasincurredbythe customersaffected.
Although,the factthat nomoneywastakendidnot necessarilymeanitwasa case of state-sponsored
espionage, itcouldmeanhackerswere able toaccess a call logof whoto victimize, butwere detected
and couldn’tsiphoncustomeraccounts.A logof whoto victimize wasstolen,butthatitself isnot
enoughtosteal someone’sidentity. AccordingtoKristinLemkau,aJ.P.Morgan spokeswoman.“We are
confidentwe have closedanyknownaccesspointsandpreventedany future accessinthe same way”
(Goldstein,2014).Ms. Lemkauaddedthat the bankhad “not seenanyunusual fraudactivity”since the
intrusionwasdiscoveredandsaidthatthere was“no evidence thattheyhave takenanyproprietary
software”orhad a “blueprint”of the bank’scomputernetwork"(Goldstein,2014).
Goldstein,2014, asksa goodquestion,“Have some othertrapdoorsbeenleftoverthatcan be
accessed?”The claimisthat there isno evidence of breachof closelyguardedinformation.Absence of
evidence howeverdoesnotconstitute evidence of absence. AccordingtoBruce Schneier, “Securityis
out of your control,the onlythingyoucan do isagitate for lawsaboutregulatingthird-partyuse of your
data and howthey store it,use it and collectit”(Bernard,2014)
8. References
Bernard,T. S. (2014, October3). Waysto ProtectYourself After theJPMorgan Hacking. Retrievedfrom
The NewYork TimesCompany:http://www.nytimes.com/2014/10/04/your-money/jpmorgan-
chase-hack-ways-to-protect-yourself.html?ref=dealbook
Goldstein,N.P.(2014, September12). AfterBreach,JPMorgan Still Seeksto DetermineExtent of Attack.
RetrievedfromThe NewYorkTimesCompany:
http://www.nytimes.com/2014/09/13/technology/after-breach-jpmorgan-still-seeks-to-
determine-extent-of-attack.html?ref=dealbook&_r=0
Leyden,J.(2014, December23). JPMorgan Chasemega-hackwasa simpletwo-factorauth fail.
RetrievedfromThe Register:
http://www.theregister.co.uk/2014/12/23/jpmorgan_breach_probe_latest/
SecurityFreeze. (n.d.).Retrievedfromhttp://www.experian.com/consumer/security_freeze.html
Silver-Greenberg,M.G. (2014, October2). Dealbook.nytimes.com. Retrievedfromnytimes.com:
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-
issues/?_php=true&_type=blogs&_r=1
Sousa,L. D. (2016, January 26). RiskManagementFundamentals.Vancouver,BritishColumbia,Canada.
Tanya Agrawal,D.H. (2014, October2). ThomsomReuters. RetrievedfromThomsomReuters:
http://www.reuters.com/article/us-jpmorgan-cybersecurity-idUSKCN0HR23T20141003
The NewYork TimesCompany.(2008). The New York Times Company. Retrievedfromnytimes.com:
http://topics.nytimes.com/top/news/business/companies/morgan_j_p_chase_and_company/in
dex.html
TransUnion.(2016). Credit Freeze. RetrievedfromTransUnionLLC: https://www.transunion.com/credit-
freeze/place-credit-freeze
Wikipedia.(2015,December8). Wikipedia.RetrievedfromWikipedia:
https://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach