After JPMorgan Chase Breach, Push to Close Wall St. Security Gaps

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://dealbook.nytimes.com/2014/10/21/after-jpmorgan-cyberattack-a-push-to-fortify-wall-street-banks/?_php=true&_type=blogs&_r=0

This summer’s huge cyberattack on JPMorgan Chase and a dozen other
financial institutions is accelerating efforts by federal and state
authorities to push banks and brokerage firms to close some gaping holes in
their defenses.

Top officials at the Treasury Department are discussing the need to bolster
fortifications around a critical area of cybersecurity: outside vendors,
which include law firms, accounting and marketing firms and even janitorial
companies, according to several people briefed on the matter.

The sweeping effort began before the hacking of JPMorgan, which compromised
some of the personal account information of 76 million households and seven
million small businesses, the people said. Under discussion is a
requirement that the banks put in place more stringent procedures and
safeguards to make sure the outside firms have, at the least, basic
defenses.

The push by government officials is a stark acknowledgment of the
vulnerability of financial institutions to an attack — even after they have
spent hundreds of millions of dollars to protect themselves — if one of
their vendors is not fully prepared.

The problem is causing some security consultants to privately consider
whether the sprawling financial firms with operations across the globe may
be “too big to secure.” And smaller firms, the consultants say, may simply
not have the ability to adequately defend customer information.

The attack on JPMorgan, along with earlier breaches at Target andHome
Depot, has made Americans even more wary about security of their personal
information. JPMorgan said that the hackers did not infiltrate the bank’s
systems through a third party vendor.

Still, in the aftermath of the attack, the issue of data security has
gained momentum. At a dinner in New York on Tuesday evening that included
the general counsels from JPMorgan, Bank of America and Deutsche Bank on
the guest list, New York State’s top financial regulator, Benjamin M.
Lawsky, emphasized the gathering danger to the financial system when
vendors’ security is lax, according to one of the people briefed on the
matter. Mr. Lawsky, who delivered his remarks at the University Club in
Midtown Manhattan, is considering a new rule that would require banks to
“obtain representations and warranties” from vendors about the adequacy of
their controls to thwart hackers, the people said.

As part of that proposal, Mr. Lawsky sent a letter on Tuesday to dozens of
banks requesting that the firms provide “any policies and procedures
governing relationships with third-party service providers,” according to a
copy of the letter reviewed by The New York Times. In the letter, Mr.
Lawsky says that banks must also outline “the due diligence processes used
to evaluate” the security procedures of all vendors.

“It is abundantly clear that, in many respects,” Mr. Lawsky said in the
letter, “a firm’s level of cybersecurity is only as good as the
cybersecurity of its vendors.”

Mr. Lawsky’s proposal mirrors some of the discussions underway at the
Treasury Department, the people said. In July, Treasury Secretary Jacob J.
Lew highlighted the importance of online security to the global financial
system in a speech at an investment conference. In that address, Mr. Lew
said his deputy, Sarah Bloom Raskin, “would be working with federal and
state agencies to reduce cyber-risks to the financial system,” but he did
not discuss the specific measures being considered.

The Securities and Exchange Commission is conducting an audit of 50 firms
to assess their readiness for attacks as well as their relationships with
vendors. The Financial Industry Regulatory Authority is conducting its own
broad look at how American brokerage firms and asset management firms deal
with assaults from hackers and how they oversee their vendors. Other
regulators are examining the preparedness of 500 community banks and credit
unions for dealing with an attack.

Wall Street’s reliance on third-party vendors has come under fire before,
most prominently after the financial crisis, when banks used outside law
firms to handle mass foreclosures in what turned out to be a flawed
process. Those practices led to a landmark $25 billion foreclosure abuse
settlement between the government and five major banks two years ago.

The latest scrutiny of vendors signals a new recognition that cybercrime
represents one of the greatest threats to the stability of the financial
system. In attack after attack, hackers are rebuffed by financial
institutions, only to slip through the cracks at vendors, including some
that have virtually no security.

The attack that roiled Target last year and exposed the information of 40
million cardholders and 70 million others came from hackers breaking into
the security system of a heating and cooling contractor that was doing work
for the retailer. The same overseas hackers who breached JPMorgan’s network
also infiltrated the website for the JPMorgan Corporate Challenge, which is
run by an outside vendor for the bank on a server maintained by an Internet
firm in Ann Arbor, Mich.

JPMorgan discovered the attack on the Corporate Challenge website on Aug.
7, and learned of the far broader breach of its own system about a week
later. The attack on the bank’s network — which enabled the hackers to gain
a high level of system privileges on more than 90 servers — began sometime
in June and went undiscovered by JPMorgan for about two months, said
another person briefed on the matter who spoke on condition of anonymity.

Two months may seem a long time for largely unfettered access, but security
consultants note it is not uncommon for hackers to rummage through a big
company’s network for several months before being detected.

Federal authorities say they believe the hackers, some of whom may be from
Russia, were not acting with the backing of a foreign government and were
motivated solely by profit. JPMorgan said no financial information was
taken and it had not seen any evidence of fraud from the information taken
in the attacks on its computers and the Corporate Challenge website, which
included names, addresses, phone numbers and email addresses.

Still, it remains unclear just how the hackers got into JPMorgan’s network,
and the bank has determined that they did not gain access to JPMorgan’s
computer systems through the Corporate Challenge website.

“We have no evidence to indicate that attackers compromised a third party
to gain access to our network as part of this incident,” Patricia Wexler, a
JPMorgan spokeswoman said, referring broadly to vendor security.

Still, security consultants and government officials are zeroing in on
vendors as they work to choke off access to the global financial system.

“I would put vendor security as a top concern,” said John Reed Stark,
former chief of the S.E.C.’s Office of Internet Enforcement and a managing
director at Stroz Friedberg, a data breach response firm. “I am certainly
seeing more and more entities being very rigorous when it comes to their
relationships with third parties and cybersecurity.”

“In some contracts, companies even contractually secure the right to
require, in the event of a breach or compromise, that the vendor conduct an
independent risk and security audit at the vendor’s own expense,” Mr. Stark
said.

The notion of requiring financial institutions to get “reps and warranties”
from vendors about their security might make it difficult for smaller firms
to sell their wares and services to banks and brokers and harder for
smaller financial firms to pay for them. But at the same time, beefing up
vendor security could prove an important way to quarantine an attack.

Susan F. Axelrod, executive vice president of regulatory operations at the
financial industry’s regulating agency, said financial firms needed to
improve their criteria in hiring vendors, continue to monitor the providers
for security during the course of a contract and then pay particular
attention to what happens when a vendor’s work is done. “The process of
terminating a relationship is key,” Ms. Axelrod said. “You have to
immediately terminate vendor access and passwords.”

She suggested that contracts with vendors “deal upfront” with the process
of ending a relationship and safeguarding access to a firm’s computer
network. By the end of the year, the agency expects to publish what it
considers best practices for dealing with vendors and cybersecurity, a
product of its review of 18 large to midsize brokerage firms.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!