Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How We Can Prevent Another Anthem Breach
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
xmarksthespot
xmarksthespot,
User Rank: Strategist
3/22/2015 | 4:13:34 AM
Re: class action
I predict the market will react appropriately.  There's already a lot of switchover to 2 factor authentication in the consumer area.  It's pretty late, of course, but things will change.  Seems to me like encryption and 2 factor authentication are the big ones which need focus.  Implementation of robust host hardening procedures (not new products, but correct utilization of ones already in place) can help greatly.
chrisbunn
chrisbunn,
User Rank: Apprentice
3/20/2015 | 5:42:46 AM
Context aware access control
Great article Dave. Context aware access control helps protect identity and thus help prevent this type of attack from compromised network credentials. Organizations can - and should - set and automatically enforce access rules that restrict how and when their authenticated users access the network. Employees should be restricted to specific workstations, devices, departments or IP ranges to reduce the attack surface where compromised credentials can gain access. This control must extend across all session types (Wi-Fi, VPN or IIS). 

This type of enhanced access control is not possible with native controls but available with technology solutions such as UserLock (for Windows Server based networks.) 

It's interesting also to know that from IS Decisions latest research, IT professionals cited strong user access restrictions as the top method for helping address user security behavior. Restrictions help protect users from themselves and outrighly restrict some of the careless behavior that leads to these type of security breaches.

 

 
TerryB
TerryB,
User Rank: Ninja
2/24/2015 | 3:25:56 PM
Re: No Two Factor?
Thanks Dave. Yeah, we were one of companies that got new tokens, I had completely forgotten about that. I had missed your article about the backdoor in algorithm, easy to understand your mistrust.

Does it get worse? We have used the Cisco VPN appliance/client software and now have moved to Juniper (Pulse client). Has the certificate protection installed in those clients been compromised, or is it easy to do so? That would have to done along with knowing the SecurId number, along with my user name and PIN. If compromising that client is easy, we are really only protecting ourselves from amateurs with all this spend we have on this.

It's starting to become obvious to me the best thing my company has going for it is being boring. Even if you hacked every bit of intellectual property we have, you'd still need millions and millions of $ in capital investment in land and equipment just to possibly earn 5% return on annual sales you might get. I really feel sorry now for companies whose lifeblood is information itself.
Dunkirk
Dunkirk,
User Rank: Strategist
2/24/2015 | 2:50:22 PM
The dog ate my homework
North Korea and China are now the equivalent of "the dog ate my homework" excuse. Expect every company that has a breach of any magnitude to trot this one out.

To me it is also interesting to read in other coverage that the administrator's password was being used for the SQL queries. An even simpler precaution would have been to protect that obviously valuable password via a privileged account management solution. I don't disagree with strong authentication, behavioral analysis or context-aware access control. However, to me, the key takeaway is multi-layer security. A castle is protected by a moat, and a drawbridge, and high walls, and ramparts, and soldiers with hot-oil cauldrons, arrows and the occasional flying cow launched at the enemy (can't resist a Monty Python aside). Hackers will always find an entree but we want them to get through one door only to see many more.

Good article, Dave.

Jackson Shaw
dak3
dak3,
User Rank: Moderator
2/24/2015 | 2:37:54 PM
Re: No Two Factor?
Go here for all the reasons why I'm not an RSA fan...
TerryB
TerryB,
User Rank: Ninja
2/24/2015 | 12:53:46 PM
Re: No Two Factor?
I remember RSA was hacked awhile ago. But like all things security, never saw any detail of exactly what that hack exposed. Are you saying hackers have capability of discovering the Serial # on my hard token and then predicting my next number because they know the seed/algorithm? Or did somebody just hack RSA servers and see who was using their service?

Even if they stole algorithm, how would they know what seed was being used? From what I read on that stuff, it was pretty solid code? Send me a good resource link on this hack if you have it handy.
dak3
dak3,
User Rank: Moderator
2/24/2015 | 12:30:12 PM
Re: No Two Factor?
And, as I said in the article, it was an admin that was phished...

 

And, if that 2nd factor was SecureID, well, that's been compromised for a while...
TerryB
TerryB,
User Rank: Ninja
2/24/2015 | 11:31:28 AM
Re: No Two Factor?
No @Dak3, not what he said. He said just not effective in INTERNET authentication. He actually confirmed what I suspected, it would be near impossible to pull off in our Corp network.

The reason is clear: For Man in Middle, you'd have to spoof our VPN server. That isn't on our internal network, it has it's own security with this token. Since it uses a certificate before it even gives you signon credentials, you could not get "in the middle". Well, realistically anyway. Given enough inside information and access to tools which created the certificate in first place, along with poisoning DNS enough to redirect you to their VPN server, you could then capture what user typed in. You'd then have about 30 seconds to come in thru the our real VPN server and get IP address foothold in our private, non internet routable network.

Good luck with all that.

His other hack was Chicken or Egg. It depended on already compromising the computer going to signon to VPN in first place. I'll give him part of that one, you could certainly grab the keystokes of the PIN/token combination. But what I don't know is if you could grap the installation of the VPN client which contains the certificate to let VPN server talk to you. As crappy as Windows/Linux computers are, I'd have to believe you probably could, as sad as that is.

But again, lot of inside info needed here, it would have to be an inside attack more than anything else, nothing you are going to sniff out cold from China with internet access and nothing else. Regular users aren't bright enough on all this to phish anything useful. If you find an internal admin stupid enough to give up all that info, well, there is no hope for your security period.
dak3
dak3,
User Rank: Moderator
2/24/2015 | 10:59:47 AM
Re: No Two Factor?
Two-factor authN is better than one, but as Bruce Schneier says "Two-factor authentication isn't our savior. It won't defend against phishing."

Read his blog post ("Two-Factor Authentication: Too Little, Too Late") from 2005 to see why.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/23/2015 | 10:27:56 AM
Re: class action
@psullivan726, It's pretty darn amazing that a healrhcare company the size of Anthem would be so  remiss. i wonder if that's typical for the healthcare insurance industry. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.