In July, JP Morgan Chase discovered that 90 or so of its servers were breached by external hackers. As The New York Times reported, “By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers.” According to the article, it is still unclear how hackers managed to gain such deep access.
Every organization in the world with significant financial assets is under constant Web-based attack from bad guys. Over the past two years, there’s been an impressive (or terrifying, depending on your point of view) increase in both the success of these attacks and the size and scope of the organizations affected.
Virtually all of these hacks have one thing in common. They attack identity; specifically, they leverage vulnerabilities in software or business processes to subsequently elevate privilege until they reach the Holy Grail of identity on a critical server.
USA Today quoted an industry expert who interpreted this breach by saying that the hackers “had root” on the servers and they “could transfer funds, disclose information, close accounts, and basically do whatever they want to the data.”
There are still far too many organizations using root accounts to manage their servers. It’s just asking for trouble. If root accounts are available to your employees for anything besides “break glass” in single-user off-network recovery situations, then there’s a chance the bad guys will also find a way to use those accounts. Corporate boards need to get off the dime and fund their IT security departments with the tools to stop these attacks, including least-privilege identity solutions that eliminate the use of root accounts.
What else is interesting about this hack? The bad guys didn’t wire funds to numbered accounts in tropical locations. Apparently, they left all the money behind, taking no Social Security numbers and no passwords with them. But is that the end of the story?
Probably not. “Persistence like that, with no stolen money, is due to a future planned operation,” J.J. Thompson of Rook Security of Indianapolis told USA Today in the same article. “This could be to track down a person of interest by observing financial transaction locations, to plan future large scale disruption when they know their competitor plans to wire funds to close a deal, or any other odd scenario you could see on (the TV show) ‘Blacklist.’”
Who knows what the end result of this hack will be, but hopefully it further raises awareness of the problem of sharing the root account. Setting policies for IT to use personal named accounts and always log in using their own identity will help avoid these issues, and will lead to better accountability and traceability of actions. The more an IT organization can consolidate identities into an authoritative identity store the better. Using a privileged identity management solution, IT can limit the number of users who have privileged access and will make it less likely that the attacker will discover a user with privileged access.