Another day, another massive data breach. This time, it was Anthem Healthcare who had to notify clients that the personal records of as many as 80 million individuals were compromised.
On the bright side, as reported by Dark Reading’s Sara Peters, “In a rare (perhaps unprecedented) move, a large company reported a data breach -- to authorities, the media, and the individuals whose data was stolen -- well before they were legally obligated to do so.” It’s sad that we have so much data to compare to be able to make such a statement.
How could this happen?
"Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members," Anthem President and CEO, Joseph R. Swedish, said in a statement.
This would seem to indicate that outsiders broke through Anthem’s security structures and stole their database. Was it organized crime? Or could it be state-sponsored hacking? As is often the case these days, the immediate finger-pointing was towards China. Although no one was willing to speculate as to why China would want a list of Anthem’s customers.
The reality is, sadly, that this was most likely anything but a sophisticated attack. According to the Dark Reading story, “Anthem discovered the attack when a database administrator noticed unauthorized queries running with admin credentials.” This means that the attack was based on using legitimate credentials to read, and export, the data.
There are two ways this can happen. Either it is an “insider attack” in which an employee uses their own account to harvest data (this is how Edward Snowden did it) or an outsider phished the credentials from an employee (as happened in the RSA hack some years ago). In either case, firewalls and other security measures to keep intruders out would have no effect. The “intruders” were already inside the walls.
There is also a debate going about encryption. Was the Anthem data encrypted “on the wire” and in storage? That is important when someone breaches the network and runs off with a database. Good encryption could keep them from seeing the data. But an insider, with authorization to view the data, doesn’t see the encryption. Insiders, to do their job, need to see it unencrypted. So whether or not Anthem kept the data in an encrypted format has absolutely no relevance. The insider, or the outsider masquerading as an insider, can see – and export – all of the available data.
Two things could have mitigated the damage, perhaps even prevented any loss at all.
- Behavioral analysis looks at what the user is doing compared to their historic activity and the activity of others in their same or a similar role. This is actually how the breach was discovered, but it was only the off-chance notice by a human that discovered it. Automated, systematized analysis as part of a Real Time Security Intelligence (RTSI) system would catch this and either raise flags or temporarily close down access.
- Context-aware access control could have stopped an outsider, even with phished credentials, by examining where the authentication session was coming from, what platform was in use, what time of day it was, and more.
For the people whose data was compromised in the Anthem breach (or the Target breach, or the RSA breach, and on and on) it matters little who acquired their data or even how it was acquired. What matters most is that an organization they trusted with their data didn’t do enough to protect it.