“If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different.” –Bruce Schneir
In my last post I talked about how the traditional security model is dead, and that companies have to start thinking in terms of “we’ve already been hacked” and move into a mitigation and awareness strategy. The temptation to put a set of really big, expensive, name brand firewalls at the edge of your network, monitor known vulnerabilities, and then walk away smug in the knowledge that you’ve not only checked a box on your next audit, but done all you can to protect your valuable assets is a strong one. But that temptation would be shortsighted and wrong.
Since I wrote last, one of the largest security breaches ever—and possibly the most damaging—was reported by the insurance giant, Anthem BlueCross BlueShield. Over 80 million accounts were compromised, and what makes this hack worse than most is that it included names, addresses, social security numbers, income, and some other stuff—pretty much everything that makes up your identity. In other words, you just got stolen. A credit card can be shut down and replaced, but it’s not so easy when it’s your whole identity.
Anthem is using wording suggesting that the company was the victim of “a very sophisticated external cyber attack” which, while plausible and largely face-saving, is almost guaranteed to not be the case. While the attack was probably perpetrated by an external entity, the sophistication of said attack is probably not high. In most of these cases it’s as simple as getting one employee inside the company to open the wrong file, click the wrong link, reveal the wrong thing, etc. The days of poking holes in firewalls and perpetrating truly sophisticated attacks from the outside in are largely gone, reserved for movies and nation-state cyber warfare.
The one thing we can take from this attack, absent of any further details, is that the company self-reported. They discovered the problem and responded immediately. What isn’t known is how long the attackers had access to the system before the company’s security team discovered and closed the breach. Hopefully we’ll get more information in the coming days and will get a better picture of the scope and attack vector used.
So, what do you think of the Anthem attack? Do you have processes in place today to respond to this sort of breach? Would you even know if you’d been breached?