Essay On Layered Security: The Jpmorgan Chase Bank Case.
Layered security involves using several controls at different points in transaction processes and networks such that one control’s weakness is compensated by the strength of another. In the JPMorgan Chase breach, over 76 million accounts were affected by the data theft that occurred from the banks 90 servers, and there was no clear motive identified since no money was stolen. The bank’s plan to spend $250 million annually on information security to minimize future attacks, and the increased expenditure on information security by businesses shows that there is increased awareness of the importance of securing information assets.
Layered security could help improve the overall security of business networks and transactions by protecting customer data, reducing account takeovers, and preventing identity theft. Additional security layers allow a business such as a bank to authenticate customers, detect and respond appropriately to suspicious activity related to initial login, and reconfirm authentication if further transactions involve high-risk actions such as fund transfers, multiple withdrawals of single large withdrawals. The paper discusses the five main security layers related to the protection, detection and remediation of attack events. The layers are not limited to five, but businesses that handle these five layers properly stand a better chance of repelling and discovering attacks (FFIEC).
Network Controls: This layer involves various controls such as firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) which filter network traffic, detect attacks and prevent attacks respectively. Hostile traffic may bypass the firewalls covertly using through open ports such as port 80 and 443, and even encrypt the traffic to make analysis by IDS and IPS difficult. However, an additional control such as data loss prevention systems (DLP) can be used for in-depth inspection of data packets to ensure no files are transferred from the network, or whether other policies are being violated (Shenk).
Antivirus: Antivirus software is implemented by most companies and these software work by identifying code signatures and so attackers are now using techniques that do not match signature attacks. Antivirus may be implemented at various points in a network on file and email servers, and workstations and mobile devices. Email detection deletes or quarantines infected mail so that it never reaches the destination, and the same also applies to transferring infected files. Nowadays antivirus software rely on heuristics to determine what applications should and should not do, and endpoint security has extended this further to monitoring suspicious activity e.g. downloading a PDF file that calls for the download of an executable file (Shenk).
Reputation: This security control involves the use of authentication and verification technologies such as digital signatures, checksums and trusted services. Checksums are uniquely generated mathematical values for a file and are unique to each file. If the file is altered by as much as one bit, the checksum changes and thus a file cannot be verified to match the earlier generated and trusted checksum. Digital signatures work the same way where a unique signature is added to a file and later verified at the destination. If the signature at the destination is broken or altered, the file is deemed suspicious. Other techniques of enhancing reputation include blacklisting known hostile traffic sources such as spammers and whitelisting trusted sources.
Behavioral Analysis: Involves baselining normal network behavior then analyzing suspicious activity against the baseline. Unusual behavior includes high traffic, slow connections, stealthy traffic with connections that take long to time-out, and analyzing general web traffic. This helps identify attacks such as distributed denial of service attacks (DDoS) which involve high traffic. Stealthy traffic extended for long periods may imply unsanctioned data downloads such as in the JPMorgan bank case while analyzing general web traffic ensures no malicious traffic from the Internet is allowed to pass through the network (Shenk).
Detection and Remediation: Involves detecting and fixing any suspicious activity and loopholes discovered in the network respectively. Investigations should always be conducted by monitoring logs, investigating process crashes, port scanning, and monitoring file transfers and user accounts for suspect behavior. At this stage, quick detection and mitigation of attacks reduces the likelihood of system compromise and the possibility of the attack spreading to other systems (Shenk).
Finally, layered security is not complete without considering the human layer. Employees can be disgruntled and compromise system while others may do so based on ignorance and susceptibility to social engineering (human behavior manipulation). Consequently, there is a need to practice common sense, increase awareness of IT security to employees, and enforce a detailed security policy on what employees can, and cannot do (Shenk). By combining all aspects of layered security discussed, a business such as JPMorgan Chase is assured of reduced susceptibility to security breaches and attacks.
FFIEC,. Risk Assessment And Layered Security. 1st ed. Tennesse: Federal Financial Institutions Examination Council (FFIEC), 2013. Web. 20 Apr. 2015.
Shenk, Jerry. Layered Security: Why It Works (A SANS Analyst Whitepaper). 1st ed. SANS Institute InfoSec Reading Room, 2013. Web. 20 Apr. 2015.