Recent revelations surrounding hacker attacks infiltrating JPMorgan Chase & Co. leave questions about why we’re seeing an increasing number of successful attacks on major institutions. It turns out that protecting an institution full of personally identifiable information is more complex than just having a good cybersecurity team.
Hackers were able to unleash malicious software onto Chase’s internal system through a security gap in one of the bank’s consumer-facing websites. The offending group was well researched and equipped with custom malware specifically targeted at Chase. Right now the extent of the damage is unknown as investigators continue to explore the breach.
“These are not kids sitting in their parent’s garage doing something looking for excitement during their summer break. These are professionals, working in multi-disciplinary teams, that have the discipline to persevere and work hard to get to quality loot,” Eyal Firstenberg, VP of cyber research at cybersecurity firm LightCyber, told VentureBeat by email.
The type of hackers that attacked Chase and potentially other banks are called targeted attackers. They set their sights on a target, then spend resources heavily researching the target’s systems and security protocols before designing specific malware. “For targeted attackers, they learn the specific technologies deployed in the target and just use different maneuvers or tools and neutralize them,” says Firstenberg.
And it isn’t as if Chase hasn’t invested in threat protection. This year alone, it plans to spend more than $250 million on cybersecurity, according to a letter to investors from April.
Unfortunately, according to Firstenberg, most of the many millions of dollars spent on cybersecurity are focused on opportunistic attacks — hackers that enter through a security flaw and use common malware to steal information. The security software that prevents against these kinds of attacks is predictive and attempts to know what attacks will look like if hackers infiltrate the system so it can neutralize the problem quickly.
“It is just now that that we are witnessing the emergence of companies and technologies that do not presume to predict a specific attack vector, but it is still not widespread,” says Firstenberg.
Right now, U.S. law enforcement authorities are considering whether or not the Chase attack was a part of a series of coordinated attacks on five other banks, according to Bloomberg news. The report says there’s some speculation by law enforcement that these hackers are inside Russia and possibly connected to the government.
One of the bigger, less talked about problems with dealing with cybersecurity threats is the lack of a global framework for penalizing attackers. “Hackers can hide in countries around the world without the fear of being brought to justice,” says Ron Hale, CEO of Information Systems Audit and Control Association, a nonprofit devoted to developing IT and cybersecurity best practices, who spoke to VentureBeat by telephone.
There is no global set of standards dictating the way hackers should be prosecuted, and most countries have very different laws when it comes to both cyberattacks and money laundering, especially when it happens outside of the state. In addition, enterprise institutions are afraid to share information about attacks with one another, so they’re forced to protect themselves in silos. “We don’t have the right tools and infrastructure, and there’s not information sharing between banks and other institutions,” says Hale.
It’s also important to note that the larger hacker community is very collaborative. They already share information about developing malware and ways to hack security protocols. That’s why malware evolves so quickly. Banks and other organizations that hold onto personally identifiable information need to be equally collaborative if they expect to keep up with new threat iterations.
The National Retail Federation is already taking steps to help major retailers, like Target, to work together to fight security threats through a new information sharing platform it announced earlier this year.
What’s needed, says Hale, is a holistic approach to fighting security threats that includes flexible software to effectively monitor inflowing and outgoing traffic within an institution, information sharing about attacks between major institutions, and a global collaborative effort to bring the hacking community down.