Lot has already been written on the Anthem breach – the extent of data loss, possible penalties and financial losses, the possible attackers and their motives, impact on Anthem’s customers, etc.
From a security operations point, I was trying to find out more technical details on how the breach happened and how it could have been prevented.
Little data is available on how-it-happened, apart from the fact that an uncommon database query is what set off the alarm bells. Gaining database admin rights to run such a query is certainly not a single stage attack. If we look at the Target or JPMorgan breaches, it can be speculated that the first point of entry could have been a Spear phishing attack or a compromise on one of the smaller(less secure) service providers of Anthem or a breach of a not so important website. Once the entry was gained, attacker could have done multiple steps to escalate his privileges and reach the database. It is a no-brainer today that all employees need to be trained on how not to fall prey to a spear phishing attack, and that all service providers who have some access to your applications need to be continually evaluated on their security controls. If it is yet another phishing attack or service provider weakness, which opened the gates at Anthem, that is definitely bad news – we are not learning from our mistakes.
It is said that certain types of information like SSN (social security numbers) were stolen while some information like patient health data and credit card data was not. It is interesting to note that even in JP Morgan breach there was a clear highlight of what was “not stolen”. It is not clear whether what is stolen is linked to the motive of the attackers or the difference in data security controls for different types of data; was one set of data encrypted and hence it could not be stolen or was it just useless to the attacker. If it’s the former, possibly security technologies and their adoption in real life is getting better, and that is definitely good news.
Anthem detected the breach themselves - unlike in the case of JP Morgan or Target, where they came to know about it from other sources. This again could be good news that companies are having breach detection mechanisms that are getting better. It is not clear if a diligent DBA detected this manually or this alert was thrown up by a well configured DAM tool. Either ways it is positive news.
As more details come in on the Anthem breach, we will know how much we’ve learnt from the past . Every breach is a wake up call to know that we need to get better.
About the Author Jose Varghese is the Co-founder, Director and Head of Paladion's Managed Services practice. Jose is an instructor for SANS courses in India and also plays an active role in various information security forums.