Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/18/2015
10:30 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How We Can Prevent Another Anthem Breach

Two things could have mitigated the damage and maybe even prevented any loss at all: behavioral analysis and context-aware access control.

Another day, another massive data breach. This time, it was Anthem Healthcare who had to notify clients that the personal records of as many as 80 million individuals were compromised.

On the bright side, as reported by Dark Reading’s Sara Peters, “In a rare (perhaps unprecedented) move, a large company reported a data breach -- to authorities, the media, and the individuals whose data was stolen -- well before they were legally obligated to do so.” It’s sad that we have so much data to compare to be able to make such a statement.

How could this happen?

"Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members," Anthem President and CEO, Joseph R. Swedish, said in a statement.

This would seem to indicate that outsiders broke through Anthem’s security structures and stole their database. Was it organized crime? Or could it be state-sponsored hacking? As is often the case these days, the immediate finger-pointing was towards China. Although no one was willing to speculate as to why China would want a list of Anthem’s customers.

The reality is, sadly, that this was most likely anything but a sophisticated attack. According to the Dark Reading story, “Anthem discovered the attack when a database administrator noticed unauthorized queries running with admin credentials.” This means that the attack was based on using legitimate credentials to read, and export, the data.

There are two ways this can happen. Either it is an “insider attack” in which an employee uses their own account to harvest data (this is how Edward Snowden did it) or an outsider phished the credentials from an employee (as happened in the RSA hack some years ago). In either case, firewalls and other security measures to keep intruders out would have no effect. The “intruders” were already inside the walls.

There is also a debate going about encryption. Was the Anthem data encrypted “on the wire” and in storage? That is important when someone breaches the network and runs off with a database. Good encryption could keep them from seeing the data. But an insider, with authorization to view the data, doesn’t see the encryption. Insiders, to do their job, need to see it unencrypted. So whether or not Anthem kept the data in an encrypted format has absolutely no relevance. The insider, or the outsider masquerading as an insider, can see – and export – all of the available data.

Two things could have mitigated the damage, perhaps even prevented any loss at all.

  • Behavioral analysis looks at what the user is doing compared to their historic activity and the activity of others in their same or a similar role. This is actually how the breach was discovered, but it was only the off-chance notice by a human that discovered it. Automated, systematized analysis as part of a Real Time Security Intelligence (RTSI) system would catch this and either raise flags or temporarily close down access.
  • Context-aware access control could have stopped an outsider, even with phished credentials, by examining where the authentication session was coming from, what platform was in use, what time of day it was, and more.

For the people whose data was compromised in the Anthem breach (or the Target breach, or the RSA breach, and on and on) it matters little who acquired their data or even how it was acquired. What matters most is that an organization they trusted with their data didn’t do enough to protect it.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/22/2015 | 4:13:34 AM
Re: class action
I predict the market will react appropriately.  There's already a lot of switchover to 2 factor authentication in the consumer area.  It's pretty late, of course, but things will change.  Seems to me like encryption and 2 factor authentication are the big ones which need focus.  Implementation of robust host hardening procedures (not new products, but correct utilization of ones already in place) can help greatly.
chrisbunn
50%
50%
chrisbunn,
User Rank: Apprentice
3/20/2015 | 5:42:46 AM
Context aware access control
Great article Dave. Context aware access control helps protect identity and thus help prevent this type of attack from compromised network credentials. Organizations can - and should - set and automatically enforce access rules that restrict how and when their authenticated users access the network. Employees should be restricted to specific workstations, devices, departments or IP ranges to reduce the attack surface where compromised credentials can gain access. This control must extend across all session types (Wi-Fi, VPN or IIS). 

This type of enhanced access control is not possible with native controls but available with technology solutions such as UserLock (for Windows Server based networks.) 

It's interesting also to know that from IS Decisions latest research, IT professionals cited strong user access restrictions as the top method for helping address user security behavior. Restrictions help protect users from themselves and outrighly restrict some of the careless behavior that leads to these type of security breaches.

 

 
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/24/2015 | 3:25:56 PM
Re: No Two Factor?
Thanks Dave. Yeah, we were one of companies that got new tokens, I had completely forgotten about that. I had missed your article about the backdoor in algorithm, easy to understand your mistrust.

Does it get worse? We have used the Cisco VPN appliance/client software and now have moved to Juniper (Pulse client). Has the certificate protection installed in those clients been compromised, or is it easy to do so? That would have to done along with knowing the SecurId number, along with my user name and PIN. If compromising that client is easy, we are really only protecting ourselves from amateurs with all this spend we have on this.

It's starting to become obvious to me the best thing my company has going for it is being boring. Even if you hacked every bit of intellectual property we have, you'd still need millions and millions of $ in capital investment in land and equipment just to possibly earn 5% return on annual sales you might get. I really feel sorry now for companies whose lifeblood is information itself.
Dunkirk
100%
0%
Dunkirk,
User Rank: Strategist
2/24/2015 | 2:50:22 PM
The dog ate my homework
North Korea and China are now the equivalent of "the dog ate my homework" excuse. Expect every company that has a breach of any magnitude to trot this one out.

To me it is also interesting to read in other coverage that the administrator's password was being used for the SQL queries. An even simpler precaution would have been to protect that obviously valuable password via a privileged account management solution. I don't disagree with strong authentication, behavioral analysis or context-aware access control. However, to me, the key takeaway is multi-layer security. A castle is protected by a moat, and a drawbridge, and high walls, and ramparts, and soldiers with hot-oil cauldrons, arrows and the occasional flying cow launched at the enemy (can't resist a Monty Python aside). Hackers will always find an entree but we want them to get through one door only to see many more.

Good article, Dave.

Jackson Shaw
dak3
100%
0%
dak3,
User Rank: Moderator
2/24/2015 | 2:37:54 PM
Re: No Two Factor?
Go here for all the reasons why I'm not an RSA fan...
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/24/2015 | 12:53:46 PM
Re: No Two Factor?
I remember RSA was hacked awhile ago. But like all things security, never saw any detail of exactly what that hack exposed. Are you saying hackers have capability of discovering the Serial # on my hard token and then predicting my next number because they know the seed/algorithm? Or did somebody just hack RSA servers and see who was using their service?

Even if they stole algorithm, how would they know what seed was being used? From what I read on that stuff, it was pretty solid code? Send me a good resource link on this hack if you have it handy.
dak3
50%
50%
dak3,
User Rank: Moderator
2/24/2015 | 12:30:12 PM
Re: No Two Factor?
And, as I said in the article, it was an admin that was phished...

 

And, if that 2nd factor was SecureID, well, that's been compromised for a while...
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/24/2015 | 11:31:28 AM
Re: No Two Factor?
No @Dak3, not what he said. He said just not effective in INTERNET authentication. He actually confirmed what I suspected, it would be near impossible to pull off in our Corp network.

The reason is clear: For Man in Middle, you'd have to spoof our VPN server. That isn't on our internal network, it has it's own security with this token. Since it uses a certificate before it even gives you signon credentials, you could not get "in the middle". Well, realistically anyway. Given enough inside information and access to tools which created the certificate in first place, along with poisoning DNS enough to redirect you to their VPN server, you could then capture what user typed in. You'd then have about 30 seconds to come in thru the our real VPN server and get IP address foothold in our private, non internet routable network.

Good luck with all that.

His other hack was Chicken or Egg. It depended on already compromising the computer going to signon to VPN in first place. I'll give him part of that one, you could certainly grab the keystokes of the PIN/token combination. But what I don't know is if you could grap the installation of the VPN client which contains the certificate to let VPN server talk to you. As crappy as Windows/Linux computers are, I'd have to believe you probably could, as sad as that is.

But again, lot of inside info needed here, it would have to be an inside attack more than anything else, nothing you are going to sniff out cold from China with internet access and nothing else. Regular users aren't bright enough on all this to phish anything useful. If you find an internal admin stupid enough to give up all that info, well, there is no hope for your security period.
dak3
50%
50%
dak3,
User Rank: Moderator
2/24/2015 | 10:59:47 AM
Re: No Two Factor?
Two-factor authN is better than one, but as Bruce Schneier says "Two-factor authentication isn't our savior. It won't defend against phishing."

Read his blog post ("Two-Factor Authentication: Too Little, Too Late") from 2005 to see why.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/23/2015 | 10:27:56 AM
Re: class action
@psullivan726, It's pretty darn amazing that a healrhcare company the size of Anthem would be so  remiss. i wonder if that's typical for the healthcare insurance industry. 
Page 1 / 2   >   >>
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.