Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How We Can Prevent Another Anthem Breach
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/22/2015 | 4:13:34 AM
Re: class action
I predict the market will react appropriately.  There's already a lot of switchover to 2 factor authentication in the consumer area.  It's pretty late, of course, but things will change.  Seems to me like encryption and 2 factor authentication are the big ones which need focus.  Implementation of robust host hardening procedures (not new products, but correct utilization of ones already in place) can help greatly.
chrisbunn
50%
50%
chrisbunn,
User Rank: Apprentice
3/20/2015 | 5:42:46 AM
Context aware access control
Great article Dave. Context aware access control helps protect identity and thus help prevent this type of attack from compromised network credentials. Organizations can - and should - set and automatically enforce access rules that restrict how and when their authenticated users access the network. Employees should be restricted to specific workstations, devices, departments or IP ranges to reduce the attack surface where compromised credentials can gain access. This control must extend across all session types (Wi-Fi, VPN or IIS). 

This type of enhanced access control is not possible with native controls but available with technology solutions such as UserLock (for Windows Server based networks.) 

It's interesting also to know that from IS Decisions latest research, IT professionals cited strong user access restrictions as the top method for helping address user security behavior. Restrictions help protect users from themselves and outrighly restrict some of the careless behavior that leads to these type of security breaches.

 

 
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/24/2015 | 3:25:56 PM
Re: No Two Factor?
Thanks Dave. Yeah, we were one of companies that got new tokens, I had completely forgotten about that. I had missed your article about the backdoor in algorithm, easy to understand your mistrust.

Does it get worse? We have used the Cisco VPN appliance/client software and now have moved to Juniper (Pulse client). Has the certificate protection installed in those clients been compromised, or is it easy to do so? That would have to done along with knowing the SecurId number, along with my user name and PIN. If compromising that client is easy, we are really only protecting ourselves from amateurs with all this spend we have on this.

It's starting to become obvious to me the best thing my company has going for it is being boring. Even if you hacked every bit of intellectual property we have, you'd still need millions and millions of $ in capital investment in land and equipment just to possibly earn 5% return on annual sales you might get. I really feel sorry now for companies whose lifeblood is information itself.
Dunkirk
100%
0%
Dunkirk,
User Rank: Strategist
2/24/2015 | 2:50:22 PM
The dog ate my homework
North Korea and China are now the equivalent of "the dog ate my homework" excuse. Expect every company that has a breach of any magnitude to trot this one out.

To me it is also interesting to read in other coverage that the administrator's password was being used for the SQL queries. An even simpler precaution would have been to protect that obviously valuable password via a privileged account management solution. I don't disagree with strong authentication, behavioral analysis or context-aware access control. However, to me, the key takeaway is multi-layer security. A castle is protected by a moat, and a drawbridge, and high walls, and ramparts, and soldiers with hot-oil cauldrons, arrows and the occasional flying cow launched at the enemy (can't resist a Monty Python aside). Hackers will always find an entree but we want them to get through one door only to see many more.

Good article, Dave.

Jackson Shaw
dak3
100%
0%
dak3,
User Rank: Moderator
2/24/2015 | 2:37:54 PM
Re: No Two Factor?
Go here for all the reasons why I'm not an RSA fan...
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/24/2015 | 12:53:46 PM
Re: No Two Factor?
I remember RSA was hacked awhile ago. But like all things security, never saw any detail of exactly what that hack exposed. Are you saying hackers have capability of discovering the Serial # on my hard token and then predicting my next number because they know the seed/algorithm? Or did somebody just hack RSA servers and see who was using their service?

Even if they stole algorithm, how would they know what seed was being used? From what I read on that stuff, it was pretty solid code? Send me a good resource link on this hack if you have it handy.
dak3
50%
50%
dak3,
User Rank: Moderator
2/24/2015 | 12:30:12 PM
Re: No Two Factor?
And, as I said in the article, it was an admin that was phished...

 

And, if that 2nd factor was SecureID, well, that's been compromised for a while...
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/24/2015 | 11:31:28 AM
Re: No Two Factor?
No @Dak3, not what he said. He said just not effective in INTERNET authentication. He actually confirmed what I suspected, it would be near impossible to pull off in our Corp network.

The reason is clear: For Man in Middle, you'd have to spoof our VPN server. That isn't on our internal network, it has it's own security with this token. Since it uses a certificate before it even gives you signon credentials, you could not get "in the middle". Well, realistically anyway. Given enough inside information and access to tools which created the certificate in first place, along with poisoning DNS enough to redirect you to their VPN server, you could then capture what user typed in. You'd then have about 30 seconds to come in thru the our real VPN server and get IP address foothold in our private, non internet routable network.

Good luck with all that.

His other hack was Chicken or Egg. It depended on already compromising the computer going to signon to VPN in first place. I'll give him part of that one, you could certainly grab the keystokes of the PIN/token combination. But what I don't know is if you could grap the installation of the VPN client which contains the certificate to let VPN server talk to you. As crappy as Windows/Linux computers are, I'd have to believe you probably could, as sad as that is.

But again, lot of inside info needed here, it would have to be an inside attack more than anything else, nothing you are going to sniff out cold from China with internet access and nothing else. Regular users aren't bright enough on all this to phish anything useful. If you find an internal admin stupid enough to give up all that info, well, there is no hope for your security period.
dak3
50%
50%
dak3,
User Rank: Moderator
2/24/2015 | 10:59:47 AM
Re: No Two Factor?
Two-factor authN is better than one, but as Bruce Schneier says "Two-factor authentication isn't our savior. It won't defend against phishing."

Read his blog post ("Two-Factor Authentication: Too Little, Too Late") from 2005 to see why.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/23/2015 | 10:27:56 AM
Re: class action
@psullivan726, It's pretty darn amazing that a healrhcare company the size of Anthem would be so  remiss. i wonder if that's typical for the healthcare insurance industry. 
Page 1 / 2   >   >>


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...