BreachExchange mailing list archives
Anthem Security Breach: Who’s to Blame?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 12 Feb 2015 18:31:29 -0700
http://www.datacenterjournal.com/it/anthem-breach-whos-blame/ Security breaches at big-name companies have become staples in the news, with the latest being health-insurance provider Anthem. According to the company, the breach exposed data from employees as well as current and former customers, including “names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.” Although the company said that credit-card information, along with medical information, remained secure, just a compromised Social Security number can cause victims loads of trouble. So just who is to blame for this breach and the hassles that it will instigate? Blame Anthem Some of the blame clearly falls on Anthem. Maintaining sensitive customer data—particularly such ubiquitous and near-permanent identifiers like Social Security numbers—incurs greater responsibility than simply records of transactions or even credit-card numbers (which can be changed easily). And given that the entire health-insurance industry received a gift through Obamacare, which amounted to a government-mandated expansion of the clientele, greater security should have been a top priority. In particular, the data should have been strongly encrypted and access limited. That being said, Anthem no doubt suffered partially because it is a large, well-known company that maintains valuable information as part of its business model. It was therefore a clear target for hackers, and no organization can hope to withstand sustained attacks indefinitely. As Ken Westin points out at MIT’s Technology Review, even encryption might not have been enough to save Anthem. “Encryption is just one part of the arsenal that organizations need to deploy to secure sensitive data. Encryption is great for securing data in transit and at rest, but if the credentials and keys are compromised it does little to protect the data.” The weakest link in the security chain, not surprisingly, is people. “It’s ridiculously easy for cybercriminals to find the information they need to compromise almost any organization,” notes Westin. “An attacker who can compromise a system via the credentials of a user with administrator-level access to the data warehouse can easily steal more credentials, find monetizable information, and exfiltrate unencrypted data.” Blame the Cloud Once upon a time, stealing information required physical access to company files (the paper kind if not a physical storage medium), which necessitated breaking into and burglarizing a facility. With the networking of so much of business (the Internet, which we might loosely term the cloud), that information is now available to hackers from the comfort of home if they have the right tools, some sticktoitiveness and maybe some help—witting or unwitting—from inside. Writing at Forbes, Gene Marks said, “The cloud has won. And although both businesses and consumers are wary (if not fearful) of its security concerns, its benefits are just too significant. There will be many more incidents in the years to come…But please don’t complain…We asked for this.” Marks identifies the fact that consumers have weighed the benefits of the cloud and the risks, and they have found the benefits too good to pass up. Much of this trend is driven by mobile devices—those paragons of convenience that have earned such names as “pocket rats” in the case of smartphones. Unfortunately, the convenience of being able to shop, bank, pay taxes, communicate, do business and so many other things while warming a comfortable chair at home has costs, and one of them is the ability of hackers to do their business with the same ease. Life involves tradeoffs, and security may be one of the necessary tradeoffs in this case. So, in a sense, the cloud is partly to blame, but in another sense, it’s not. If you pick up a snake, you’re likely to get bit—it’s just the nature of the snake. Therefore, cloud (read: Internet) users take a chance every time they connect, particularly when they share sensitive information. Blame the Hackers Of course, if everyone respected everyone else, such incidents as the Anthem breach wouldn’t occur, and there’d be no need to discuss security. Unfortunately, however, the world is full of bad actors who must bear the brunt of the blame for their actions. It’s easy to lay all the blame on, say, a bank when a robber strikes, but barring gross negligence, the bank probably isn’t at fault. Sure, there’s always another security apparatus that might have helped, but every business (and consumer) has to make choices based on their limited knowledge and resources. Most consumers, for instance, could easily invest more for greater home security, but each one must weigh the costs (including inconvenience) against the threat. In some neighborhoods, certain security measures may be overkill; in others, they may be necessary. Only in hindsight (and sometimes not even then) can we determine which measures could have or should have been in place. So, remember that even though other things—including Anthem—may deserve some blame for a breach, security is a back-and-forth game of strategy that has no formula for easy victory. Every system has weakness (even if it’s just on the human side), so the threat will always be present. Blame the Government Some have speculated that state-sponsored hackers may have perpetrated the Anthem breach. It really doesn’t matter, except that sponsorship by a nation-state involves many more resources than some punk in a garage can muster. The NSA, for instance, has a multi-billion-dollar budget and powerful data centers to support its nefarious efforts, and certainly other countries have their own agencies with similar missions. This petty game that politicians play (and that, unfortunately, sweeps up innocent citizens in its wake) leads to trouble, particularly when geopolitical tensions are involved. Thus, the bizarre attitude of the West toward Russia, including sanctions for Russia’s supposed involvement in Ukraine (as though the U.S., for instance, never gets involved militarily in the affairs of nearby nations, to say nothing about those halfway around the world), invites the sort of low-level response that hacking represents. In addition, the use of Social Security numbers as ID numbers beyond the purposes of the eponymous Ponzi scheme creates numerous hazards for citizens. A stolen Social Security number is almost on par with stolen fingerprints: replacement can be a nightmare. Nevertheless this number can open all sorts of doors into your personal information, enabling identity theft or worse. That use of such a government-mandated identifier is permitted (let alone that such a number exists) is a crime. So, when assigning blame for the inevitable negative results of the Anthem breach, don’t forget to save some for the bloated entity whose Ponzi scheming made a single number the virtual key to unlock people’s lives. Blame Human Nature Also to blame is our own nature. Even the smartest among us is liable to fall for a social-engineering ploy—particularly if it’s well-researched and cunningly crafted—perhaps during a time of fatigue or a lapse in concentration. Unfortunately, such a lapse could be all a hacker needs to break into a company’s database and steal troves of information. Even in more-secure situations, such a ploy could enable the hacker to gain access to less sensitive information that nevertheless permits more-sophisticated attacks, leading to a progressive breakdown in security. The variables involved in securing a system are simply too numerous and diverse to address comprehensively, and the human factor is probably the most difficult. Conclusions There’s plenty of blame to go around for the Anthem breach, but most resides with the hackers—whoever they may be. Sure, Anthem should have been more careful and should have encrypted its data, particularly Social Security numbers. Yes, the interconnectivity of the cloud encourages hackers and potentially gives them access to many more lucrative data sources. The government, as usual these days, also deserves some censure for its blockheaded Ponzi schemes and its laxity in allowing private businesses to use Social Security numbers for identification. Indeed, human nature practically guarantees security lapses. Whatever the case, however, none of these trends is changing, so expect more such breaches in the future. The only question is at what point will security threats trump convenience.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Anthem Security Breach: Who’s to Blame? Audrey McNeil (Feb 19)