• JPMorgan Goes to War
    Bloomberg (02/19/15) Robertson, Jordan; Riley, Michael A

    JPMorgan Chase has built a vast security operation and staffed it increasingly with former military officers. The move comes after the massive breach of the bank’s computers last summer. JPMorgan is convinced that it faces threats from governments in China, Iran and Russia, and that the U.S. government is not doing enough to help. James Cummings, a former head of the U.S. Air Force’s cybercombat unit, oversees the bank’s digital security staff of 1,000, along with Gregory Rattray, a former Air Force colonel. In the attack, the hackers did not steal easily marketable data such as credit card numbers or account passwords, but may have been looking for deep vulnerabilities in the bank’s infrastructure or custom software to exploit later. Even with a security budget of a quarter of a billion dollars and an expensive system to capture data removed from the bank’s network, there are lingering questions about the attack. And regardless of any failings in protection by the government, some security experts say a mini-NSA in Midtown Manhattan is not the answer.

    Web Link | Return to Headlines

    How Cyber Criminals Stole Up to $1B from Financial Services Companies
    Fox Business (02/16/15) Kent, Jo Ling

    Russian cyber security firm Kaspersky Lab says it has uncovered an ongoing cyber theft campaign targeting more than 100 banks and other institutions in 30 countries that may have resulted in the theft of as much as $1 billion. Kaspersky says the hackers, whose locations and origins are unclear, used spear phishing emails to infect targets with malware that allowed them to lay low and gather information about how the targets handle and move money throughout their systems. Ultimately, the attackers would use this information to manipulate these same systems to steal money, often by hijacking ATM networks, causing ATMs to dispense cash that was collected by the hackers’ associates. One victim lost $7.3 million to ATM fraud. Other attacks targeted the SWIFT financial network and Oracle databases to transfer funds out of bank accounts. Kaspersky says the attackers usually stole less than $10 million from any given target, which helped them go unnoticed. Only $300 million in losses have been confirmed, but Kaspersky suspects the true total is closer to $1 billion.

    Web Link | Return to Headlines

    Businesses Use Fake Scam Emails to Root Out Security Issues
    Associated Press (02/13/15)

    A growing number companies are using fake phishing emails to test their employees’ security savvy and to provide a teachable moment for those that have not yet learned how to respond to a suspicious email. Eighteen percent of users will visit a malicious link in a phishing email, according to Verizon’s 2014 data breach report, and roughly one in four data breaches are caused by employees, according to a 2014 report from the Online Trust Alliance. Several companies such as Wombat Security and PhishMe actually offer fake phishing emails to enterprises as a service. PhishMe CEO and co-founder Rohyt Belani says that a mentality has built up in the security industry that users are “stupid” and the “weakest link,” but he says the fault lies at the feet of the security industry, which he believes needs to do more to educate users and fake phishing emails provide a means of doing that. Randy Withrow, chief information officer at Pinnacle Financial Partners, says his company has seen significant improvement among its workers since it adopted Wombat’s fake phishing email program. Successful phishing attempts have dropped by 25 percent at the company. Withrow says that workers will take it to heart when they fall for the fake phishing emails.

    Web Link | Return to Headlines

    This Could Be the End of User Name and Password
    Time (02/09/15) Calabresi, Massimo

    The data breaches at JPMorgan Chase and Anthem likely will prompt New York Superintendent of Financial Services Benjamin Lawsky to impose new cyber-security rules on the banking and insurance industries — a move that could put an end to the simple user name and password identity checks used to access computer networks at the heart of the financial system. Law enforcement officials say early investigations of the Anthem breach indicate that foreign hackers used a company executive’s user name and password to access the personal data of 80 million people, and they note that the data theft could have been avoided if Anthem had implemented stronger identity verification methods. The Office of the Comptroller of the Currency says banks need to assess their own risks when determining whether additional verification methods should be used. Meanwhile, other regulators are worried that if New York’s Department of Financial Services or another agency strengthens standards on its own, banks with national operations will be forced to contend with a patchwork of rules. However, Lawsky says, “We really need everyone to go to a system of multi-factor verification.” Lawsky also plans to impose new requirements on third-party vendors.

    Web Link

  • 2013: Highest Rate of Employee Theft in 6 Years
    Security Magazine (02/15)

    According to the 2013 Marquet Report on Embezzlement released in December 2014, Vermont topped the list of highest embezzlement risk states in the country for the third time in the last six years. It was followed by the nation’s capital, West Virginia, Montana, South Dakota, Virginia, Idaho, Oklahoma, Texas, and Missouri. The research shows that the number of U.S. embezzlement cases rose 5 percent over the previous year. In total, 554 major cases — those with more than $100,000 in reported losses — were active in the United States in 2013. Only around 5 percent of major embezzlers were found to have a prior criminal history. The Marquet report went on to draw several conclusions, ranging from the reality that embezzlers are most likely to hold financial positions with enterprises to the most common embezzlement scheme being the forgery or unauthorized issuance of company checks. The study further determined that perpetrators typically begin embezzlement schemes in their early 40s. Finally, while females are more likely to embezzle on a large scale, males embezzle significantly more money on average.

    Web Link

  • Another Giant Security Gap at Airports: Lack of Criminal Background Checks
    CNN (02/04/15) Devin, Curt; Griffin, Drew; Zamost, Scott

    Gary Perdue, the FBI’s deputy assistant director of counterterrorism, recently admitted that once airport employees complete an initial background check, no one reviews criminal backgrounds after they are hired. These security loopholes were critiqued at a hearing before the House Subcommittee on Transportation Security, where lawmakers questioned current airport security regulations. A CNN investigation discovered that only two of the nation’s major airports, Miami International Airport and Orlando International Airport, require all employees with secure access to pass through metal detectors. The Miami airport also organizes random criminal background checks after hiring employees. Miguel Southwell, the general manager of Hartsfield-Jackson Atlanta International Airport where breaches have occurred, expressed support for implementing full screening of employees with access to secure areas. But he did not specify if and when the screening will begin. Mark Hatfield, the acting deputy administrator of the Transportation Security Administration, said his agency is working to determine what investments and policy changes may be necessary.

    Web Link

  • Anthem Hacked in ‘Sophisticated’ Attack on Customer Data
    Bloomberg (02/05/15) Harrison, Crayston

    Anthem Inc., the second largest U.S. health insurer in terms of market value, said hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack that has led to an FBI probe. The information included everything from names, birth dates, and Social Security numbers to street and e-mail addresses and employee data, including income. The company has pledged to notify all customers who were affected and provide credit and identity-theft monitoring services for free. An Anthem statement read: “As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating with their investigation.” The Anthem breach is believed to be the largest in the health-care industry since Chinese hackers swiped Social Security numbers, names, and address from 4.5 million patients of Community Health Systems Inc., the second-biggest for-profit hospital chain, in 2014.

    Web Link

    Experts Suspect Lax Security Left Anthem Vulnerable to Hackers
    New York Times (02/06/15) Abelson, Reed; Goldstein, Matthew

    The cyberattack on Anthem, one of the country’s largest health insurers, highlights the vulnerability of health care companies. Anthem’s data was vulnerable because the company did not take steps, such as using encryption, in the same way it protected medical information that was sent or shared outside of the database. Anthem officials say they do not know who is behind the attack, but several security consultants have noted that in the past Chinese hackers have shown an interest in going after health care companies. The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee. The insurer, along with federal investigators and security experts from FireEye’s Mandiant division, is now trying to determine whether there were other requests that it did not detect, a process that could take several more weeks. Security professionals say the company’s decision to make the breach public quickly means that it is early in the investigation into exactly what happened and what information may have been compromised. “You can spend months doing the forensics,” said Fred Cate, a law professor and cybersecurity expert at Indiana University. While he praised Anthem for taking the “unusual and quite laudable step in coming forward quite quickly,” he cautioned that company officials might not know the scope of the attack at this point. Still, Cate said the medical information was not likely to result in the public unveiling of sensitive medical information, unlike smaller attacks aimed at finding something embarrassing or derogatory about an executive or celebrity. “As a general matter, huge breaches often result in less harm than targeted breaches,” he said. “The notion that someone’s poring over this data is highly unlikely.” The decision by Anthem to bring in the Federal Bureau of Investigation and go public with the breach is the kind of move that law enforcement officials have been encouraging for the last several months. FBI officials have appeared at a number of industry conferences urging corporate executives to promptly report breaches and, when possible, share information about the breach with competitors.

    Web Link

« Previous Entries