Sophisticated Attacks Usually Aren't

If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different.” –Bruce Schneir

In my last post I talked about how the traditional security model is dead, and that companies have to start thinking in terms of “we’ve already been hacked” and move into a mitigation and awareness strategy. The temptation to put a set of really big, expensive, name brand firewalls at the edge of your network, monitor known vulnerabilities, and then walk away smug in the knowledge that you’ve not only checked a box on your next audit, but done all you can to protect your valuable assets is a strong one. But that temptation would be shortsighted and wrong.

Since I wrote last, one of the largest security breaches ever—and possibly the most damaging—was reported by the insurance giant, Anthem BlueCross BlueShield. Over 80 million accounts were compromised, and what makes this hack worse than most is that it included names, addresses, social security numbers, income, and some other stuff—pretty much everything that makes up your identity. In other words, you just got stolen. A credit card can be shut down and replaced, but it’s not so easy when it’s your whole identity.

Anthem is using wording suggesting that the company was the victim of “a very sophisticated external cyber attack” which, while plausible and largely face-saving, is almost guaranteed to not be the case. While the attack was probably perpetrated by an external entity, the sophistication of said attack is probably not high. In most of these cases it’s as simple as getting one employee inside the company to open the wrong file, click the wrong link, reveal the wrong thing, etc. The days of poking holes in firewalls and perpetrating truly sophisticated attacks from the outside in are largely gone, reserved for movies and nation-state cyber warfare.

The one thing we can take from this attack, absent of any further details, is that the company self-reported. They discovered the problem and responded immediately. What isn’t known is how long the attackers had access to the system before the company’s security team discovered and closed the breach. Hopefully we’ll get more information in the coming days and will get a better picture of the scope and attack vector used.

So, what do you think of the Anthem attack? Do you have processes in place today to respond to this sort of breach? Would you even know if you’d been breached?

  • Multiple vendor firewalls didn't do Anthem much good.

    The CMMS guidelines they are subject to specify that different vendor firewalls must be used between successive application layers (i.e. Web interface, app server, DB server).

  • On an interesting side node; I recently ran across Illumio and they make a security product that seems pretty unique so I thought I would share it here since this was a security thread.

  • After having worked with several companies in the health care industry, it's scary to see what their back-end infrastructure looks like and how disorganized they are at managing it.  To make it even more difficult their teams are typically silos that either don't work or don't work well with each other.  When you mention things like "centralized monitoring", "single pane of glass", or "centralized log management" they look at you like you fell off another planet.

    Even at more tech savvy companies what they accept as "security" is a joke.  They seem to think that edge firewall and hit/miss desktop patching covers it.  Two factor authentication is only seen in a small handful of companies that I have worked with, certainly not mainstream.

    At the end of the day; there is a lot of education and work that needs to be done out there and until it is you don't need sophistication to get past the limited security that does exist at these places.

  • In all honesty, past a moment or two of sheer puckering panic, they probably did report the hack immediately after it was discovered. The problem is, the attackers were probably in the system for months before they were discovered. An entire database of 80 million users' personal information can't be sucked out unnoticed in a short period of time. Most likely it was stored and moved slowly out.

  • I think that as more people wake up, micro-segmentation is going to see broader adoption than it has hereto. That's only another defense mechanism, of course... as someone else mentioned, you have to keep adapting to new threats.