Anthem Security Breach: Who’s to Blame?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.datacenterjournal.com/it/anthem-breach-whos-blame/

Security breaches at big-name companies have become staples in the news,
with the latest being health-insurance provider Anthem. According to the
company, the breach exposed data from employees as well as current and
former customers, including “names, birthdays, medical IDs/social security
numbers, street addresses, email addresses and employment information,
including income data.” Although the company said that credit-card
information, along with medical information, remained secure, just a
compromised Social Security number can cause victims loads of trouble. So
just who is to blame for this breach and the hassles that it will instigate?

Blame Anthem

Some of the blame clearly falls on Anthem. Maintaining sensitive customer
data—particularly such ubiquitous and near-permanent identifiers like
Social Security numbers—incurs greater responsibility than simply records
of transactions or even credit-card numbers (which can be changed easily).
And given that the entire health-insurance industry received a gift through
Obamacare, which amounted to a government-mandated expansion of the
clientele, greater security should have been a top priority. In particular,
the data should have been strongly encrypted and access limited.

That being said, Anthem no doubt suffered partially because it is a large,
well-known company that maintains valuable information as part of its
business model. It was therefore a clear target for hackers, and no
organization can hope to withstand sustained attacks indefinitely. As Ken
Westin points out at MIT’s Technology Review, even encryption might not
have been enough to save Anthem. “Encryption is just one part of the
arsenal that organizations need to deploy to secure sensitive data.
Encryption is great for securing data in transit and at rest, but if the
credentials and keys are compromised it does little to protect the data.”
The weakest link in the security chain, not surprisingly, is people. “It’s
ridiculously easy for cybercriminals to find the information they need to
compromise almost any organization,” notes Westin. “An attacker who can
compromise a system via the credentials of a user with administrator-level
access to the data warehouse can easily steal more credentials, find
monetizable information, and exfiltrate unencrypted data.”

Blame the Cloud

Once upon a time, stealing information required physical access to company
files (the paper kind if not a physical storage medium), which necessitated
breaking into and burglarizing a facility. With the networking of so much
of business (the Internet, which we might loosely term the cloud), that
information is now available to hackers from the comfort of home if they
have the right tools, some sticktoitiveness and maybe some help—witting or
unwitting—from inside.

Writing at Forbes, Gene Marks said, “The cloud has won. And although both
businesses and consumers are wary (if not fearful) of its security
concerns, its benefits are just too significant. There will be many more
incidents in the years to come…But please don’t complain…We asked for
this.” Marks identifies the fact that consumers have weighed the benefits
of the cloud and the risks, and they have found the benefits too good to
pass up. Much of this trend is driven by mobile devices—those paragons of
convenience that have earned such names as “pocket rats” in the case of
smartphones. Unfortunately, the convenience of being able to shop, bank,
pay taxes, communicate, do business and so many other things while warming
a comfortable chair at home has costs, and one of them is the ability of
hackers to do their business with the same ease. Life involves tradeoffs,
and security may be one of the necessary tradeoffs in this case.

So, in a sense, the cloud is partly to blame, but in another sense, it’s
not. If you pick up a snake, you’re likely to get bit—it’s just the nature
of the snake. Therefore, cloud (read: Internet) users take a chance every
time they connect, particularly when they share sensitive information.

Blame the Hackers

Of course, if everyone respected everyone else, such incidents as the
Anthem breach wouldn’t occur, and there’d be no need to discuss security.
Unfortunately, however, the world is full of bad actors who must bear the
brunt of the blame for their actions. It’s easy to lay all the blame on,
say, a bank when a robber strikes, but barring gross negligence, the bank
probably isn’t at fault. Sure, there’s always another security apparatus
that might have helped, but every business (and consumer) has to make
choices based on their limited knowledge and resources. Most consumers, for
instance, could easily invest more for greater home security, but each one
must weigh the costs (including inconvenience) against the threat. In some
neighborhoods, certain security measures may be overkill; in others, they
may be necessary. Only in hindsight (and sometimes not even then) can we
determine which measures could have or should have been in place.

So, remember that even though other things—including Anthem—may deserve
some blame for a breach, security is a back-and-forth game of strategy that
has no formula for easy victory. Every system has weakness (even if it’s
just on the human side), so the threat will always be present.

Blame the Government

Some have speculated that state-sponsored hackers may have perpetrated the
Anthem breach. It really doesn’t matter, except that sponsorship by a
nation-state involves many more resources than some punk in a garage can
muster. The NSA, for instance, has a multi-billion-dollar budget and
powerful data centers to support its nefarious efforts, and certainly other
countries have their own agencies with similar missions. This petty game
that politicians play (and that, unfortunately, sweeps up innocent citizens
in its wake) leads to trouble, particularly when geopolitical tensions are
involved. Thus, the bizarre attitude of the West toward Russia, including
sanctions for Russia’s supposed involvement in Ukraine (as though the U.S.,
for instance, never gets involved militarily in the affairs of nearby
nations, to say nothing about those halfway around the world), invites the
sort of low-level response that hacking represents.

In addition, the use of Social Security numbers as ID numbers beyond the
purposes of the eponymous Ponzi scheme creates numerous hazards for
citizens. A stolen Social Security number is almost on par with stolen
fingerprints: replacement can be a nightmare. Nevertheless this number can
open all sorts of doors into your personal information, enabling identity
theft or worse. That use of such a government-mandated identifier is
permitted (let alone that such a number exists) is a crime. So, when
assigning blame for the inevitable negative results of the Anthem breach,
don’t forget to save some for the bloated entity whose Ponzi scheming made
a single number the virtual key to unlock people’s lives.

Blame Human Nature

Also to blame is our own nature. Even the smartest among us is liable to
fall for a social-engineering ploy—particularly if it’s well-researched and
cunningly crafted—perhaps during a time of fatigue or a lapse in
concentration. Unfortunately, such a lapse could be all a hacker needs to
break into a company’s database and steal troves of information. Even in
more-secure situations, such a ploy could enable the hacker to gain access
to less sensitive information that nevertheless permits more-sophisticated
attacks, leading to a progressive breakdown in security. The variables
involved in securing a system are simply too numerous and diverse to
address comprehensively, and the human factor is probably the most
difficult.

Conclusions

There’s plenty of blame to go around for the Anthem breach, but most
resides with the hackers—whoever they may be. Sure, Anthem should have been
more careful and should have encrypted its data, particularly Social
Security numbers. Yes, the interconnectivity of the cloud encourages
hackers and potentially gives them access to many more lucrative data
sources. The government, as usual these days, also deserves some censure
for its blockheaded Ponzi schemes and its laxity in allowing private
businesses to use Social Security numbers for identification. Indeed, human
nature practically guarantees security lapses. Whatever the case, however,
none of these trends is changing, so expect more such breaches in the
future. The only question is at what point will security threats trump
convenience.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!