Running Head: JP Morgan Case Study 1

Case Summary

Minimizing Damage from J.P. Morgan’s Data Breach

By

Date
JP Morgan Case Study
2

For a bank like JP Morgan who spends $250 million on its security annually, the excuses

of being vulnerable to data breaches are not acceptable. The computer of one of the employees

was infected with malware resulting in information and credential stolen from it.

The threats involved:

The threats involved in this case are of several levels. The hacker were not only able to break

through several levels of the security with the use of the malicious programs but they also

obtained the administrative privileges of highest level controlling 90 servers by using multiple

zero-day vulnerabilities. Furthermore, the data was stolen during an extended period of several

months. Moreover, the overlooked server also failed in receiving the two-factor authentication

update which had made the login credentials stolen as useless. Above all, the greatest threat has

been the fact that the breach was not even discovered by JP Morgan itself. Because of the stolen

data, the JP Morgan faces the threat of future hacking from the stolen programs and applications

lists. Furthermore, many of the staff of the security department of JP Morgan is also leaving to

other banks which makes it further vulnerable.

Systems vulnerabilities involved:

The entry point of the malware for JP Morgan was an infected employee computer. The

computer credentials must have been compromised which could have been through clicking on a

phishing mail or visiting of a site with malware. The malware could have been stopped if HIPS

had been deployed on the computer of the employee. Human factor is the weakest part of any

security system as not all humans are security conscious. The lack of training of the employee of

JP Morgan who assumedly got trapped in social engineering tricking technique of hacker is one

of the many vulnerabilities. Furthermore, JP Morgan could have stopped the system of

employee to get infected with the use of white listing. The employee was also granted more
JP Morgan Case Study
3

access than it was needed for his or her job. The hacker got into the JP Morgan through VPN

which was vulnerable for setting up of a command and control outbound channel that would

have then bypassed all defenses. The system of JP Morgan also failed to identify the server

which failed to receive the two factor authentication which could have been identified through

the regular vulnerability scans. Moreover, even with the mandatory NIDS deployment, the

breach went unnoticed. The hackers were also successful in deleting their log files, if JP Morgan

had consolidated logs in a secure location, hackers would not have been able to cover their

tracks. As there was no minimum baseline bogging decided for the Windows serves, JP Morgan

would have detected the breach earlier. It was also important for JP Morgan to get rid of all its

guest and anonymous accounts access blocking simple loopholes.

Impact of the case:

The case shows effectively how the JP Morgan shows simple vulnerabilities were ignored

that caused such huge loss. The case also showed in detail how JP Morgan could have stopped

this breach at the various stages. The case shows how the security loopholes could have been

covered by effective vulnerability and pen testing of the system. The several factors which

contributed to such long unnoticed breach of JP Morgan system were explained in detail along

with its possible countermeasures.

Organizational response

The breach was not discovered in months and not by JP Morgan itself. The hackers

breached one of the charity websites of Hold Security Inc which discovered billion stolen

usernames and passwords including some of JP Morgan as well. This led JP Morgan security to

question its system and led them to discover the breach of their system. The bank already spends

$250 million on its security while 1000 of its employees are dedicated to this department. The
JP Morgan Case Study
4

organization was not only shocked but also was concerned over the simplicity of the failure of its

security.

Any countermeasures that the company can take for avoiding future attacks

Like any other organization, JP Morgan needs to identify its critical assets and protect it

heavily with VLANs and NIDS. Perimeter defense should be assured by installing firewalls.

Basic protection, employee training, HIPS and white listing applications would ensure stopping

malware entrance in the network or its timely discovery. Using Pre connection VLEN and NAC

for the infected system, and NIDS anomaly along with honey pots can help it reduce access to

control servers and alerting staff. Furthermore, implanting of SELinux, RBAC, APPArmor and

using of less privilege access system can also help JP Morgan against the hackers. Proper

logging along with active monitoring, using crypto free zones, and NIDS would have aided in

strengthening the security. Pen testing, and scans for vulnerability would have helped in early

discovery of hackers.

No entity is fully safe at all time, however with these recommended solutions; JP Morgan

can strengthen its security of the system. With effective security staff and well aware employees

with proper security education, such simple loopholes can be covered.

Source:

Jeng, A. (2015). Minimizing Damage From JP Morgan’s Data Breach. SANS Institue.