News today indicates that the JPMC breach which was discovered earlier in 2014 was the result of a neglected server not being configured to require 2FA as it should have been. That was a pretty simple oversight, right? Well, no so fast. There are a lot of other details that previously surfaced which paint a more complicated picture.
– First, we know that the breach started via a vulnerability in a web application.
– Next, we know that the breach was only detected after JPMC’s corporate challenge site was breached and JPMC started examining other networks for similar traffic and found the attackers were also on it’s systems.
– We also know that “gigabytes” of data on 80 million US households was stolen.
– Finally, we know that the breach extended to at least 90 other servers in the JPMC environment.
Attributing the breach to missing 2FA on a server seems very incomplete.
Certainly we have seen a number of breaches attributed to unmanaged systems, such as Bit9 and BrowserStack. This is why inventory is the #1 critical cyber security control. Without it, we don’t know what needs to be secured.
We can also include at least:
– Application vulnerability
– Gigabytes of data being exfiltrated undetected
– Hacker activity and command and control activity on 90 different servers undetected
– Configuration management
This isn’t intended to drag JPMC through the mud; rather it’s to point out that these larger breaches are the unfortunately alignment of a number of control deficiencies rather than a single, simple oversight in configuring a server.