Continuous monitoring is the key to thwarting these types of breaches. With cyberattacks becoming commonplace in every sector, companies must continuously protect their most valuable information. Cyber guns fire at us all the time, but the notion of catching and stopping every cybercriminal simply isn’t realistic in today’s burgeoning threat environment. I liken it to aspiring to completely eliminate common street crime. It’s just not realistic. Flaws will always exist, even within the most ideal protective structures. Every company should assume they’ll be breached, and focus efforts on minimizing damage once cybercriminals get in. The need for qualified cybersecurity professionals to protect our most critical information has never been greater. Continuing education and training is key to staying as far ahead of cybercriminals as possible.
-W. Hord Tipton, CISSP-ISSEP, CAP, Executive Director, (ISC)2
Corporations are quietly (or in some cases not so quietly) engaged in asymmetric cyber warfare with nation-states. Prior to the NSA revelations, we were led to believe that it was all China, Russia, and Iran attacking the United States unprovoked. Since we now understand that isn’t true, we come to the realization that cyberattacks are now a weapon for all or most governments, and wielded for political reasons to inflict damage on economies, intellectual property, and sensitive information. Whether this particular attack on JP Morgan Chase is government sponsored or not, the reality is that businesses and citizens will ultimately pay the price of cyber war amongst feuding governments. This just adds to the threat landscape that organizations face with hacktivists, financially-motivated hackers, and now governments engaging in posturing, spying, or influence of economic events. Certainly in the short term, spiraling costs for security, forensic investigations, and incident response will continue to be a drag on the economy and long-term business sustainability. Nation-state cyber war, much like kinetic war, eventually hurts everyone. While the destruction cyberattacks leave isn’t physical, that doesn’t mean it isn’t real.
-Philip Casesa, CSSLP, Director of IT/Service Operations, (ISC)2
This is an interesting case where the discovery of the alleged breach does not appear to be due to fraud detection measures, but rather through other means. Even if no direct fraud has taken place at this time, having financial and personal information related to individuals could open the door to very targeted spear phishing attacks in the future. You can change a credit card or bank account number much easier than you can change the personal information that can be used against you. Imagine if you will, getting a frantic phone call saying your child has been in an accident and needs some money wired to them in an emergency. You might be very suspicious. Now imagine that again if the person on the phone knows your child’s name, what college they are attending, who they work for, where they live, where they had dinner last week, etc. (all information farmed from their banking information). Detailed banking information can also be used for identity theft purposes, so even if charges don’t appear now, the damage could be done months or even years in the future.
-Erich Kron, Director of Membership Relations and Services, CISSP-ISSAP, HCISPP, (ISC)2
These types of attacks will continue to happen. It is a constant battle of corporations trying to stay ahead of an adversary. These attacks are carried out by well-funded and very well trained criminal enterprises. These breaches prove that despite the layers of defense, attackers can and will get through. It’s more of a matter of when instead of how. It is a double-edged sword. Active defenses and continuous monitoring help only to a certain extent. Skilled information security professionals are needed, and they must be able to think like their adversary: “To know your Enemy, you must become your Enemy”. Organizations must think outside of the box to actively defend confidential consumer information, assets, and intellectual property.
-Justin Warniment, Senior Manager, Professional Programs Development, CISSP-ISSEP, ISSMP, (ISC)2