The Anthem Breach: What We Know Now

The first thing I do in the morning when I reach the office is check my email. Today, I received this email from Anthem before I even saw the news: I have to give Anthem credit. I learned about the breach directly from the CEO before all the hype and speculation hit. This is the level of caring and responsibility I personally expect as an Anthem customer. So now that the news is out there, let’s talk about the technical aspects of the breach. The news media has been quick to latch onto information regarding the Anthem breach. Few details have been publicly released, except that suspicious database activity occurred a little over a week ago and that law enforcement (FBI) was notified of the breach. FireEye (Mandiant) has been contracted to assist in the investigation, and early reports suggest the attack originated from China. This leads to the obvious questions of what was taken and what wasn’t touched: Compromised Data: names, birthdays, medical ID’s, social security numbers, addresses, email addresses, employment information, and income Data Not Disclosed: medical records, credit cards, current and previous subscribers So we have a breach that affected 80 million people. Which iron-fisted government penalty or oversight will Anthem have to endure? That is a huge unknown. Because no actual medical information was stolen, the 1996 HIPAA (Health Insurance Portability and Accountability Act) is not applicable – even though Anthem is a healthcare provider. Since no credit card information was stolen, PCI regulations don’t apply either. At first glance, Anthem’s inability to secure Personally Identifiable Information (PII) is not in clear violation of major compliance and regulatory initiatives. However, I would argue that my PII is more valuable than my medical records since it can be used for very targeted attacks – especially when combined with my employer information. This was a sophisticated attack looking for specific information, and the attackers clearly found what they were looking for. So what’s next? Well, the headlines have just begun, and more details are sure to come to light. For instance, we’ll hopefully learn how an external attacker became an internal threat, as well as which vulnerabilities and privileges where leveraged to gain access to Anthem’s database. In addition, expect more focus on privileges since only a user with elevated access could have been making these queries to the Anthem database and funneling the information out. There is no solution that can prevent all types of threats. However, best practices can make a significant difference. At BeyondTrust, we have several solutions that potentially could have identified or stopped this threat from occurring in the first place:

• PowerBroker Password Safe automatically cycles and rotates passwords for accounts and databases, while generating reports and alerts to notify administrators of unauthorized access.
• PowerBroker for UNIX and Linux manages least-privilege access across UNIX, Linux and Mac servers, with the ability to alert when specific commands are executed.
• PowerBroker for Windows enforces least privilege for Windows desktops and servers, with the ability to restrict the installation of non-approved software that can be used as a conduit to extract data out of the organization.
• Retina CS Enterprise Vulnerability Management detects vulnerabilities and system configuration changes that could lead to a system compromise.
• The BeyondInsight IT Risk Management Platform, included with the above solutions, offers Clarity Advanced Threat Analytics to detect outlier behavior and report on abnormal activity.

Stay tuned to the BeyondTrust Blog for more information on the Anthem breach and what you can do to reduce your organization’s risk of similar security incidents.