Was JP Morgan Chase the Only Victim? Seven large banks said recently that they had no indication that their systems had been breached in the latest cyber attack on financial institutions, the Wall Street Journal and Financial Times both reported. Bank of America, Wells Fargo, U.S. Bancorp, PNC Financial Services Group, Bank of New York Mellon, State Street and SunTrust Banks all said they have not detected signs of a breach. The FBI and other agencies are investigating possible Russian involvement in the attack, which may have been conducted by breaking into the personal computer of an employee working from home. Finally, the Washington Post asks a question that’s important to me and you, but apparently not so much to banks: why are customers usually the last to know if their personal information has been stolen in a cyber attack?
I researched this story and I could not find any other banks that were named. I must add that JP Morgan didn’t exactly admit they were hacked but they said they were investigating the possibility.
Ok, still, why does it happen?
Ok, but we still have to understand why it is happening. All Enterprise organizations have “stringent” security policies in place. How can this happen? Well with Target, it has been pretty much determined that they did indeed somewhat drop the ball on the rigidity of their security. They were complacent. They became lax.
So there must be something someone can do, right?
So there must be something someone can do, right? The checksum of the image must be different from the original if malware has been downloaded. Heck, I would think the compromised computer’s image must now be different. How about nobody noticing that data is going from the computer to a remote server in Russia? I’m willing to bet that if the logs were studied (and I am quite sure they were) you would find enough abnormalities to raise an alarm.
If we were to look at 10 companies we would probably find a plague of unacceptable security policies. If we found seemingly good policies we would find out they are grossly out of date. We could start with password management. How often do I hear users complain when they have to change their password every year. What would they say if best practices were followed and they were changed every 45 to 120 days? As I mentioned before, permissions are very often woefully out of date on privileged accounts. The Information Security industry constantly comes up with the greatest, best, most comprehensive solutions you can imagine. I’m willing to bet most of these unacceptable practices could be halted by a simple security audit.