A Q&A with Joseph Loomis of CyberSponse
An ongoing challenge for any organization trying to enforce cyber security is the constant stream of new exploits, all of which rely on a lack of awareness about particular vulnerabilities. In the face of the recent seemingly “black swan” attack on JP Morgan, I asked Joseph Loomis, founder and CEO of CyberSponse, about security blind spots and their consequences
Can you describe the attack on JP Morgan?
JP Morgan, like many organizations, has public facing websites. On every single one of these pages, there is a submit button and a window to enter text or upload information. The attackers injected java script into these “holes,” and because they were not properly patched the attackers were able to execute malicious code.
What are the possible damages of this attack and others like it?
We know that a couple hundred gigabytes of data has been stolen. That could include identity information, names, passwords and social security numbers. The results of this breach have not been made public and they will likely be unknown until there’s a fully detailed investigation. We also don’t know if the attackers were associated with a particular group, a state-sponsored organization, or something like Anonymous. If the data was financial data, they are required to disclose it, but if it wasn’t, we may never hear the particulars.
Another concern is that sometimes attackers might hold the data and not do anything with it for quite some time. They might wait a year and then use the information to open a new credit card, for example, so the consequences to the end user or consumer are not always immediate.
Overall, though, J.P. Morgan is still looking at millions of dollars in forensics, legal fees and other costs as related to this breach.
What constitutes a “black swan” attack and why has this one been labeled as such?
A Black Swan is a catastrophic event that everyone, using hindsight, believes could and should have been prevented. The fact that this attack seems to have come from a traditional enemy superpower and was aimed directly at our financial backbone is making everyone say “of course this was coming.” Well, in this instance—and every Black Swan event—the company wasn’t aware that this hole was there and realistically the attack might not have been foreseeable. Oftentimes due to the sheer number of systems, websites and portals in existence, there are going to be vulnerabilities, but expecting them all to be foreseeable and preventable is just naive. Cyber security events like this have become a “blame the victim” charade, again and again. The fact is that until we reevaluate our resource prioritization, these events will keep happening.
Think of it this way: You could have all the fire alarms in the world in your house but once that stove catches on fire, what are you going to do? Without a fire department on call and ready to go, you not only lose your house but probably the whole neighborhood. Prevention and detection are worthless without an effective response to back it up.
Customers understand that it’s happening to everyone, but you will be judged for your response to it.
How might organizations prevent or mitigate this exposure?
Every line of code is a potential opportunity to break in. The sheer number of vulnerabilities out there, combined with the sheer number of attack attempts means that it’s purely impossible to plug all of these holes.
That’s why it’s important to anticipate the inevitable. Companies need to improve their software procurement time—on average it takes six to nine months and sometimes years to obtain new security software and get those technologies deployed and if that’s the case, your adversaries have a rather large head start from you and will most likely beat you every time. Running simulations and practicing for cyber attack situations is another way to prepare—that way when the day comes, everyone’s not running around panicking without process or structure. In the end, as a company, you’re not as heavily judged for the compromise because customers understand that it’s happening to everyone and that it’s becoming more and more common, but the market will judge an organization’s cyber incident response strategy and protocols to such an attack. The time for being properly prepared and to embrace new government frameworks is here.
At the same time, it’s always a best practice strategy to hire an outside firm for penetration and vulnerability testing like the New York office of Protiviti, a top forensics and cyber consultancy. These firms review source code for vulnerabilities and provide recommendations to close such exploits. Secondly, organizations should set aside the time, resources and personnel to procure and deploy new security technologies to aid in the defense and strategy of a mature cyber operations department. In too many situations people are doing this work on the side, and that’s like asking your soldiers to buy guns while they’re also on the field shooting. We all need to be prepared for the battle—well prepared.
In Summary…
Joe offers a nice explanation of a simple exploit that can be prevented with the proper procedures in place. These types of cyber vulnerabilities are currently impacting many organizations, especially in the financial services space. A sophisticated company like JP Morgan falling victim serves as a real wakeup call for everyone else in the market. Get a better incident response plan in place, test it, check it and re-test it. We all should know by now that no business connected to the Internet is immune to cyber attacks and the national media reinforces this reality almost daily with stories of Target, Home Depot, Dairy Queen and others. Joe underscores why ongoing vigilance is so important. His comments also emphasize the need and importance for cyber liability insurance coverage, given that the failure to demonstrate reasonable security care can lead to serious legal and financial consequences.
