Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
A Mere 8 Days After Breach, Anthem Healthcare Notifies Customers
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
L174
L174,
User Rank: Apprentice
2/6/2015 | 12:00:44 PM
Why does it matter if the data was encrypted?
Data Encryption is only helpful if a physical harddrive or machine is stolen, period. (Let that sink in for a minute)

While encryption is beneficial it is only usful in about 3% to 5% of data breach situations. (If you want to do a groundbreaking story you should focus on the fact that encryption offers very little protection in a hacking situation.)

Once a hacker has access to a running machine the data has already been decrypted by the Operating System or the running application and it is fully available to the hacker in the same decrypted format.

I will say it again, encryption is only helpful if a physical machine or harddrive has been stolen. So the big question was not "was the data encrypted' but how did the hackers gain access? By the way, I am willing to bet the data in this case was on an encrypted disk and as expected it did not help.
anon4914728044
anon4914728044,
User Rank: Apprentice
2/6/2015 | 2:18:09 PM
Re: Why does it matter if the data was encrypted?
I hate to be blunt, but your post belies a significant level of ignorance about major-business information security architecture and infrastructure.

 

Anthem almost certainly does not store production databases on "encrypted disks".

Also, the fact that a "database administrator noticed unauthorized queries" strongly suggests that if the data was encrypted, it's still encrypted and is (to the limits of the encryption strenght) just fine now.

 

When you understand enough to know why these statements are true, you'll understand why the rest of your post is largely incorrect as well.
ODA155
ODA155,
User Rank: Ninja
2/6/2015 | 2:50:59 PM
Re: Why does it matter if the data was encrypted?
@L174, WHAT!? Where are you getting your information?

The operating system only determines encryption levels (Protocols) if you let it, such as in a Windows Server where encryption can be controlled with a simple registry edit. I'd have to believe that these companies are not allowing this to happen and instead are using add on applications like OpenSSL or some other enterprise level data encryption software. Furthermore, if the data is encrypted you cannot access it without the proper keys for access, unless you have a few super-duper computers and more than a few years to hopefully stumble onto the correct key parings.

Although there may be places in the infrastructure where data may not be fully encrypted such as at the point where the application feeds a DB, but even that is very rare. Even rarer (I hope) would be an unencrypted DB holding sensitive data, hell, or ANY DATA. Any company that does not encrypt data in transit is stupid and deserves to be hacked.

Sensitive data that travels over a network are required to be securely encrypted from the point of data entry to the point where the data is processed if those companies are to be HIPPA, PCI or GLBA compliant.

Your comment leaves me to believe that you are either:

a)      Trolling

b)      Uninformed

c)       Not responsible for security on any level

or...

d)      Negligent

So you said, "Data Encryption is only helpful if a physical harddrive or machine is stolen, period."... what's the difference between a disc-image or the actual HDD? And a hacker isn't going after a HDD or an image because attempting to obtain either will or should set off alerts, he wants the DB and even that is going to be striped across a RAID. From what I remember about RAID, what you suggest is only "possible" if you remove a drive from a RAID – 0 or RAID – 1, and I don't believe Anthem is "Mom & Pop" enough for that configuration.

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/7/2015 | 12:28:00 AM
Quick notice not surprising, considering...
Okay, sure, they notified their customers WELL before they were legally obligated, but that's not particularly surprising considering that one of the affected customers was Michael Daniel -- the President's chief cybersecurity advisor.
ODA155
ODA155,
User Rank: Ninja
2/7/2015 | 2:01:33 PM
Re: Quick notice not surprising, considering...
Joe... I just heard a report that said Anthem did NOT encrypt the data...at all! I also read that in an article from WSJ. And... some experts are tying this data breach at anthem, to tax return fraud with TurboTax. Minnesota has suspended accepting any state tax returns from Turbo tax... and over at databreachtoday dot com there is an article, "Anthem Breach: Chinese Hackers Involved?" that is rather interesting.
GonzSTL
GonzSTL,
User Rank: Ninja
2/9/2015 | 11:05:15 AM
Re: Quick notice not surprising, considering...
It is quite scary that Anthem chose not to encrypt their data, but even scarier is that encryption is not required under HIPAA. The most worrisome parts of this breach are that there were queries running with admin privileges, and that the attacker(s) were able to exfiltrate data. One would think that a large provider such as Anthem would have measures in place to detect and prevent this type of activity.
ODA155
ODA155,
User Rank: Ninja
2/9/2015 | 11:09:00 AM
Re: Quick notice not surprising, considering...
@GonzSTL... I was just preparing this when you posted... All... I need to correct a statement that I made last week. I was under the assumption, as I'm sure that most of us are, that HIPPA and PCI REQUIREs data encryption. I think if anyone has this same assumption as I did, you should look at what I found this weekend when I was "Googling" around.

Since I can't post links in here you'll need to search them yourself.

This question and answer comes directly from U.S. Department of Health & Human Services website.

Is the use of encryption mandatory in the Security Rule?
Answer:
No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

Next, Google this phrase... "PCI Data Storage Do's and Don'ts" ... and read the document, it's a pretty short document from the PCI Council and the very first statement says "Requirement 3 of the Payment Card Industry's Data Security Standard (PCI DSS) is to "protect stored cardholder data.""... nowhere in this document does it say that PCI data is REQUIRED to be encrypted, it is "suggested" as an option.

Now I'm sure that the QSA's and other PCI and HIPAA experts will come out here and try to qualify what these statements mean, but I have to say that after reading them it's very clear what they're saying, at least to me it is.
GonzSTL
GonzSTL,
User Rank: Ninja
2/9/2015 | 12:02:06 PM
Re: Quick notice not surprising, considering...
@ODA155: Scary, isn't it? And we wonder why breaches occur ... In all the breaches to date, one glaring fact stands out – a gap in secure computing practices. Of course, that is a classic understatement. Take your post regarding HIPAA and PCI (I am fully aware that encryption is not mandated); they, in and of themselves, do not constitute a fully secure environment. What really gets me is that there are guidelines for these secure practices, and organizations still fail to properly implement them. Personally, I am a big proponent of implementing the SANS Critical Security Controls; properly implemented, they provide a very serious secure computing environment. Take the Anthem breach - although possession of Anthem admin credentials may have negated the security of encryption, a full implementation of Critical Security Control 17 (Data Protection) could have probably saved Anthem. This control specifies the adoption of data encryption, both in transit and at rest. Additionally, it also asks for data loss prevention protection for data in use, motion, and at rest. This control in itself could have possibly mitigated the exfiltration of Anthem data.

Many years ago, the mantra that IT needs to align itself with business goals was the big thing, and for the most part, IT organizations have followed this strategy. I believe the big thing now is that IT security needs to align itself with IT, which by extension, aligns itself with the business goals. This is the message that fails on executive ears; IT security has a communications gap that needs to be fully addressed. One of the main obstacles to achieving this goal is the line of reporting usually governing IT security. Even now, the percentage of IT security reporting to the CIO is too large for comfort. The potential for a violation of the separation of duties to forestall an undesirable result of a conflict of interest is ripe in that environment. I have seen it myself. I have heard many CIOs state that when they have control of, and responsibility for both IT and Security, they are able to make the correct judgment call that serves to benefit the organization as a whole. The fallacy of that line of thought is painfully obvious (see the Target breach), and continues to be supported by C-level executives. That is what needs to stop if IT security is to gain the proper voice and support required to align itself with the business goals of any organization, and provide an effective security environment.
ODA155
ODA155,
User Rank: Ninja
2/9/2015 | 1:28:22 PM
Re: Quick notice not surprising, considering...
Brian Krebs is suggesting this hack could have started as far back as April 2014!
Technocrati
Technocrati,
User Rank: Ninja
2/11/2015 | 11:00:24 AM
Re: Quick notice not surprising, considering...

@Joe   I am not particularly impressed about the early notice either.  I am sure they have been reading about Sony and all the rest.  80 mil records compromised !  

A new record.

 

Hackers seem to be well ahead of most company "experts".

Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file