Dark Reading is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Dr.T That is what I am saying, two-form factor authentication should have been a basic requirement. This is a Bank not an online site selling t-shirts. Someone ought to loose their job(s), but this Chase, where your account is more likely to be closed than any potential security hole.
What's most disturbing here is that we look to financial institutions as the "gold standard" for security.
@Kelly Your point is absolutely correct, there is no argument there. But I ask, was this assumption ever realistic and earned ? The Banks will argue they have a low rate of breeches Well what is that actually due to ? It has been implied that the financial industry was the best in this regard because after all - security is in their best interest.
And that is where the issue of security becomes blurred IMO. What is the business that Chase (in this case) is in ? It is not the security business nor altruism. It is deposits and profits. That is is all Chase and any other financial institution is concerned with because that is their business.
This issue of security, (oh well ) that is regulated by the Government, in this case the 3rd. party to absorb blame should something go wrong, Which ironically is needed because without it (Government) nothing would happen in a consistent way.
I refuse to see this latest "dropped security ball" from Chase, Sony ( and Target for that matter ) as purely a technical issue - that is too easy in my opinion. Nor ignore that this is a reflection of their culture and business practice in general. There is no shying away from this IMO.
The reactions of Chase ( the delayed announcement..etc) and Sony ( it's everyone's problem response) only underscore the fact that these companies are not in the business of security nor apparently in employing it effectively.
@ODA155 Happy New Year to you as well ! No I am not a Chase insider, I should have said " I am reasonably certain...." instead of I know. I would never work at Chase , though I guess I could be bought. : )
No I am just a citizen and admin who has not quite gotten over the financial industry induced depression quite yet. My opinions have also been formed by being a former customer of theirs - the bank is simply terrible. If they invested as much in security as they do for expansion( a Chase on every corner ring a bell ?) , this issue probably would have never happened.
Rumor has it they are the oldest Bank in the U.S. and they act like it - so it is with great glee that I expose a few more aspects of Chase other than their inability to safeguard the data entrusted them.
I am patiently waiting for the next blunder by Chase ( and Sony for that matter) because it is sure to happen. Just in the case of Chase though, we won't know exzactly know when the latest breech happened until they are apparently good and ready.
It may be time to remind Chase execs again, that neither they nor their vaunted business is above the Law.
@jamieinmontreal You raise some excellent points about this issue of security. And I do certainly agree that the Security industry does not do itself any favors with the customary convoluted software which would tax the best admins among us.
It reminds me of troubleshooting a firewall about 10 years ago - the manual at the time was the size of a book you might see in Law school or Congress. It was a major challenge to sift through an interface that was even at that time confusing at best. I finally did get access through a port that was needed, but it was one of my most challenging projects up until that point. So I understand security is no easy job, but vendors can and should make things much easier for admins.
And you bring up another great point about the vastness of security layers. This certainly makes this issue even more difficult. Not to mention the regulations.
But I think what annoys me most is what Kelly mentioned earlier in the thread, if we can't depend on those in the the financial industry to take those steps that mere mortals fear to tread, what hope do we really have ?
Sony is a prime example of this - many believe that there is a separate group which took down their Playstation network. So not only have they been breeched, it is by two distinct groups ! What security hole are these companies overlooking ? I know security experts hate to think they don't have a solution, but in Sony's case - this appears to be true.
But in the case of Chase ? There is simply no excuse, ( not to imply there is one for Sony either) these companies have more than enough resources to get the best experts. This did not happen and why ? Because as you mention (and I also agree ) security is seen as an expense and it is clear companies have a conducted risk analysis on the amount of bad press and potential loss that a breech might cause.
I like your ideas for improvement - I hope the industry hears us because it is obvious that the practices that are in place - Just are not working.
@ODA155 I agree. Software is just one piece of this puzzle. And I thank you for taking the time to do the deep thinking on the issue. I agree with your listed shortcomings, chief among them is research and incorporating security tools within the current infrastructure.
And it sounds simple but you know someone was alerted and apparently it was ignored. That is an aspect that makes this all the more reason that someone should loose their job over this. Which we are and will continue to wait on.
Regardless your points are well taken, and it might be wise for Chase and all the rest of these companies to take heed to your recommendations (and to anyone who cares to comment ) because if this continues to happen, it won't continue to be funny.
"...The JPMorgan hackers were able to access more than 90 of the bank's servers, but were detected before they got to sensitive customer financial information."
Chase really expects the public to believe this ? Of course they do - they are Chase after all. This is literally amazing, I believe the word is ludicrous.
Just what is Chase doing for those millions of customers whose data was compromised ? (and an uncomfortable silence ensues).
I think I will just keep asking until I get an answer.
"... Some of these attacks are exaggerated by news channels and social media."
@Dr, T I agree. A lot of these attacks are misunderstood banter on the Net. But what really annoys me is that Chase apparently sat on this information for a long time. Considering they should have released this news as soon as they were aware. Enough with how the public is going to perceive you.
I for one already know Chase is using "smoke and mirrors" when it comes to security. They are doing no more than is required by law, and that apparently isn't enough.
So why did it take them so long to release this information ? Only the nieve amongst us really believes Chase or any Net facing business is ever safe from a breech.
If Chase thinks we the public would think less of them because of this, well it has long since been too late for that.
The 10 Most Impactful Types of Vulnerabilities for Enterprises TodayManaging system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
User Rank: Ninja
12/24/2014 | 8:49:25 PM
"....the big hole that led attackers to the data was the lack of two-factor authentication of one of the bank's network servers."
What can you say about this ? Seriously two-factor authentication ?! This is simply blantant carelessness by admins and the Bank itself. I am not about to let Chase off the hook for this in it's entirety, but looking at it from a micro-level it is clear ( to me at least) that someone was asleep at the wheel. Taking their job for granted maybe ?
Whatever the case, it does not speak well of Chase ( I am not sure anything could actually) nor does it speak well of their IT department.
I wonder if this is the same (IT) group that handles high frequency trading and the rest ? If not get them on this issue - they have a proven track record of success.