Security Experts:

Feedback Friday: Industry Reactions to Anthem Data Breach

The personal information of as many as 80 million people might have been compromised in the recent Anthem data breach.

Anthem hacked

The health insurance company is still trying to determine how many of its current and former customers and employees are impacted, but at this point in the investigation we know that the attackers gained access to names, medical IDs/social security numbers, dates of birth, addresses, email addresses and employment information. Medical and payment card information doesn’t appear to be affected, Anthem said.

According to reports, the breach dates back to at least December 10, 2014 and remained undetected until late January when a database administrator noticed suspicious activity.

HITRUST, which has been working with Anthem on the breach investigation, noted that the attack appears to be the work of an advanced persistent threat (APT) actor. Mandiant, the security company called in to investigate the breach, said the attackers had used custom backdoors that are not publicly available.

It’s uncertain who is behind the Anthem hack attack, but the main suspect appears to be the Chinese government. A memo released recently by the FBI and sources close to the investigation suggest that it might be the Chinese state-sponsored group known as Deep Panda.

And the feedback begins…

John Pirc, Chief Strategy Officer and Co-founder of Bricata:

"Based on media reports, it doesn’t seem like the attackers accessed medical or financial information and this should honestly make any affected customers/employees of Anthem breathe a little easier. I think we need to place the personal information that was breached into perspective. I can do a simple search today from a few Web sites and get many individuals' names, dates of birth, addresses, phone numbers, email addresses and employment information. The point is, other than your SSN and Member ID (unless these are already on Pastebin), the privacy of the former types of information I listed isn’t so private.


My recommendation to those that had their information breached is the following: Sign-up for identity theft protection as this will alert you if someone has tried to open up a credit card in your name, which requires a SSN. Lastly, I would be very careful in opening up attachments or clicking on links within emails that claim to be coming from Anthem."

Fortscale CEO Idan Tendler:

"While the cause of the Anthem breach is still under investigation, initial reports point to a compromised user scenario. This does not come as a surprise, as nearly 80% of breaches can be traced back to a hijacked employee log-in. In this case, it was an alert systems administrator who reportedly noticed his credentials had been used without his consent. Had he not noticed this, this breach could have potentially been even worse.


Compromised users continue to create great challenges for security teams. With legitimate access, it is difficult to detect whether an employee’s actions are actually being perpetrated by that employee or by an outside source. Companies need to maintain vigilant monitoring and focus their attention internally on user behavior and suspicious activity to thwart these types of attacks in the future."

Saryu Nayyar, CEO of Gurucul:

“While there could have been purpose-written malware used in the reconnaissance phase of this attack that evaded technical controls at the perimeter, it is far more likely that hackers used a compromised identity to gain access to Anthem's network, discover the valuable data and only then install malware to extract it. The problem is that stealing a logon credential is not necessarily a security breach activity. It can be a phone call, a borrowed password from a new "friend" that's a contractor, or an insider that has a plan all along to gain access and exfiltrate data like Edward Snowden. That is what makes these breaches so difficult. Human factors.


To deal with Human Factors as a risk variable, there is an emerging trend among CIO and CSOs of major corporations that involves wrapping user and machine behavior analytics around identities. Gartner calls this approach User Behavior Analytics or UBA. Meta data from these identities can be cross correlated to SIEM, DLP and other defense-in-depth security data sets to provide a 360 degree context of who was doing what, when, and where. So even if you have devices that are infected in a drive-by download or a watering hole attack, or via email using spear phishing campaign, the user's identity will be tracked to detect anomalous or unusual behavior that is exhibited and unknown even to them. You can start to predict bad behavior (even if unintentional) to prevent data loss.”

Ian Amit, Vice President, ZeroFOX:

“The Anthem breach is very interesting from several different perspectives: first, the breadth - about 80 million people could be affected by the breach. That's a huge number of personal data records to deal with, and I suspect that the implications of this breach will be felt for a long time.


Second - the immediate response from Anthem to the breach was 'this is not a HIPAA violation.' This is interesting considering the company's initial reaction is the immediate cost of the breach in terms of regulations. The real cost here is the huge exposure of PII of tens of millions of Americans, who are now going to be subjected to a higher rate of identity theft, spamming and social engineering by malicious actors using the stolen information.


Last but not least - this has been verified as an external attack. Beyond deflecting potential criticism on insider participation, it's highly likely that such an attack involved a hybrid approach vector - targeting both technical weaknesses in the Anthem infrastructure, as well as weaknesses in employee awareness and processes."

Nat Kausik, CEO of Bitglass:

“We’ll see more attacks on healthcare systems, both opportunistic and targeted. During the past three years, our analysis of breach disclosures from the US Department of Health and Human Services revealed that only 23 percent of healthcare breaches were due to hacking while 76 percent due to lost or stolen devices. That appears to be changing in favor of hacks. In the case of the Anthem data breach, hackers stole tens of millions of social security numbers, names and addresses from Anthem's databases entirely undetected. In fact, the average data breach lasts about 8 months before detection.”

Stephen Pao, GM of Security at Barracuda:

“The answer to help prevent these types of security breaches may lay on the side of the consumer. Surveys suggest that companies only spend about 5% of their revenue on IT and only about 5% of that IT budget on IT security. If consumers begin to value and are willing to pay more to providers who offer account protection through multi-factor authentication or additional encryption layers on their websites, consumer preference could entice companies to start increasing their security measures. In essence, consumers could vote for better security with their pocketbooks.”

Feris Rifai, CEO of Bay Dynamics:

“The Anthem data breach serves as yet another example of how we cannot take a siloed approach to threat detection and response. Once they have breached the perimeter, attackers focus on leveraging existing accounts to hide their activities within the noise of typical day-to-day events. Today’s organizations need to be able to 'connect the dots' across user profiles, focus on relevant events and correlate it back to high value IT systems, which are prime targets for attackers.


As Indicated by Anthem, the clues do point to an outsider infiltrating the network, gaining access to credentials and becoming an insider with high privilege access (admin rights), and then exploiting vulnerabilities in IT systems to drive a successful exfiltration of critical client data. Organizations cannot leave their security to chance actions by well-trained individuals. Just as they have invested in tools that address specific technical and environmental threats, so must they invest in tools that prevent this new breed of operational exploits.”

Jeff Williams, CTO, Contrast Security:

“On the plus side, they discovered this attack themselves, which is great news. Most of the large scale breaches are discovered by external parties — typically after the credit card companies notice a pattern of fraudulent purchases that lead back to the compromised company. They didn’t say how they discovered the breach or how long the attackers have been in control of their systems.


They also seem to be doing a pretty good job of responding. They have a website and FAQ set up and appear to be sharing details with the affected folks. For the most part, I liked the CEOs message. He mentions that his own information was disclosed. I also liked this statement, "I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information.” I think it’s important that companies acknowledge this obligation, and not fall back on compliance or best effort.


However, I’m getting tired of the “very sophisticated” refrain every time someone gets hacked. Most of these attacks aren’t that sophisticated at all. If it turns out to be SQL Injection or some other well known, well understood vulnerability, then they should be embarrassed to imply that it is high tech. The reason companies do this is to make it seem as though the attackers have such amazing skills that no amount of security defenses could have stopped them. The reality is that most organizations haven’t done nearly enough to ensure that their systems don’t have simple obvious vulnerabilities.


From the FAQ on their website, they still don’t know how many people were actually affected. Everyone seems to want to know this fact right away, but it’s a poor way to judge the seriousness of a breach.


Also, I’m frustrated that the press continues to focus on what information was released, how many records were stolen, was it birthdates or credit cards, etc… To me, the important thing is that for some period of time, we don’t know if it was weeks or months, hackers were in control of Anthem. They may not have taken full advantage of their takeover. But if they wanted to, they could have done much worse things than stealing data. They could have corrupted health care records, or deleted case history, disrupted payments, or interfered with drug prescription approvals. They could have gotten people killed.”

Ken Bechtel, Malware Research Analyst, at Tenable Network Security:

“Speculation on the origin, and attack method of the Anthem attack misses the point. Attribution is extremely difficult to do, more so when the attacked organization is trying to do damage control and protect those who had personal information leaked. Forensics can take time to say definitively how the attack started. I think that for now, rather than concerning ourselves with these issues, we should focus on the real victims―the people who have had enough information about them leaked to have their identity compromised. What are we as an industry going to do to protect them?"

Paul Lipman, CEO of iSheriff:

"It's far too early to comment specifically on how Anthem was breached, who was responsible, and whether Anthem has any culpability in terms of the robustness (or lack thereof) in their security posture. However, the FBI has notably praised Anthem for the speed with which they alerted authorities upon determining that their network had been breached. Unfortunately, we should expect to see continued high-profile cyber-attacks of this nature in 2015, as companies race to keep pace with cyber-criminals’ level of funding and sophistication. Nevertheless, a key difference that we will see from some of the major 2014 breaches is in the level of rapid engagement with government agencies once a cyber-attack has been detected.”

Ivan Shefrin, VP of Security Solutions at TaaSera, Inc:

"Simple mistakes at small companies can lead to big problems up the supply chain: The health insurance industry reflects a deeply interconnected web of companies, including hospitals, doctors, practices, secondary insurance providers, and government programs. Most large organizations have a strong team of in-house cyber security exports. However, the majority of companies with which they connect are small and understaffed with limited budgets for cyber security.


I recently worked with a healthcare provider whose network connects with the broader insurance payment industry. We quickly discovered that their primary database for patient medical records was under attack from servers in France and Russia. The attack vector turned out to be an exploit pattern using Microsoft remote desktop protocol (RDP). The vendor responsible for the patient medical records application had used remote desktop access to facilitate ongoing technical support, but left open that 'back door' open.


RDP is a notoriously insecure protocol whose default settings expose the crown jewels of many businesses to public network connections. Given the tangled web of connections among healthcare service organizations, payment and insurance providers, it’s not hard to see how a simple configuration oversight might lead to a major data breach and HIPAA violation. It wouldn’t surprise me to learn that the Anthem breach began with a small healthcare provider, supply chain vendor or customer."

Alan Kessler, CEO, Vormetric:

“Unfortunately, this attack may very well lead to wide-scale attempts at identity theft later on down the line. Additionally, the acceleration of “dark” markets for stolen personal data (ranging from 25 cents for credit card data and verification code to $500 or more for a full profile with health data) indicates we will likely hear of sales of this information online.


We don’t actually know how the information was breached. We’ve heard an administrator’s credentials might have been stolen and the person who had their credentials compromised saw certain activity on their account and may have raised the issue. Because we don’t know if it was a DB admin, App Admin, Network Admin or Server admin, we really can’t speculate.


Anthem’s decision to quickly disclose the data breach is a laudatory one; the notion that businesses should keep these attacks quiet is an absurd and unethical. However, the company’s assertion that it “doesn’t expect the incident to affect its 2015 financial outlook” may be wishful thinking. We’ve seen the impact attacks have had on companies like Target and Home Depot from a legal, reputational and financial standpoint. Concurrently, Anthem will have to deal with very angry customers for some time, meaning resources will diverted to assuaging fears and convincing consumers.”

Carl Wright, general manager of TrapX:

“Fortune 500 companies continue to spend millions of dollars on network perimeter firewalls, intrusion prevention and host level security technologies, but, as the Anthem, Sony, Target and J. P. Morgan breaches illustrate, the bad actors continue to get in.


Even more concerning, cyber criminals are now going after health care records because they hold up to ten times more value on the black market over simple credit card numbers. Unlike a credit card that can be quickly cancelled and reissued, medical health records contain social security numbers, personal addresses, medical conditions and contact information on other family members. This is information that can be used to steal someone’s entire identity.“

Philip Casesa, CISSP, CSSLP and Director of IT/Service Operations at (ISC)²:

"The impact of an identity breach is potentially more dangerous and harmful than that of a credit card breach. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow attackers to sell this information to other criminal operations. Other potential issues with identity breaches involve the ability for the hackers to commit massive fraud themselves by creating accounts with credit card companies or other financial institutions, causing the victim to cope with the fallout from such a violation for an extended period of time. “

Trent Telford, CEO, Covata:

“The impact of this data breach could be severely damaging for the members of Anthem. Health care providers hold verified personal information that can tell thieves almost anything they need to know about a person, including where they live, their phone number and email addresses and also their social security details. All of this data, in the wrong hands, can be sold on for profit, used to conduct Medicare fraud or identity theft.


It is irresponsible for businesses not to encrypt the data. We have to assume thieves are either inside, or are going to break in - they will always build a 'taller ladder' to climb over perimeter security - we must protect the data itself. As a business owner I pay the bills for my employees' health care service and I want to know their information is secure.”

Until next Friday, have a great weekend!

view counter