Initial Report of Breach
On February 4, 2015 Anthem, Inc., the second-largest for-profit managed health care company in the United States, announced that it had suffered a massive data breach. Hackers gained access to a corporate database reportedly containing personal information on as many as 80 million of the health insurer’s current and former U.S. customers and employees. “Anthem was the target of a very sophisticated external cyber attack,” says Joseph R. Swedish, president and CEO of Anthem Inc. “These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members, such as their names, birthdays, medical IDs/social security numbers, street addresses, e-mail addresses and employment information, including income data,” he said.
“Because an administrator’s account was compromised, no amount of encryption would have prevented this attack,” said Darrel Ng, a spokesman for Anthem Blue Cross in California, after the company began warning the public about the breach.
What Really Happened?
According to Anthem, the intrusion began as early as December 10, 2014, and went undetected until January 27, 2015 when an Anthem system administrator noticed that their credentials were being used to access the corporate network and steal data. There were some indicators of compromise that went back to April 2014. The intrusion was publicly announced on February 4, 2015.
The intrusion appears to have begun with a successful phishing attack, compromising the credentials of up to five Anthem employees who had administrator access. The attack apparently came from China.
The data of up to 80 million Anthem customers and employees was stolen. The data the intruders stole from the health care insurer’s database was not encrypted.
What Was the Outcome?
- 80,000,000 customer and employee records were stolen including “…names, birthdays, medical IDs/social security numbers, street addresses, e-mail addresses and employment information, including income data”.
- Submission of fraudulent US tax returns using data from the Anthem breach may have occurred. The information released and the timing of the breach, during “tax season”, would have made submitting fraudulent tax returns easy.
- Phishing attacks targeting Anthem customers who wish to sign up for credit monitoring services offered by Anthem have been seen, putting more personal identity and medical data at risk.
- Dependents of Anthem customers also had personal information exposed.
- Attorney’s General in six states and the US Senate began their own investigations over whether Anthem informed customers of the breach as required by law.
- Class-Action lawsuits have been filed against Anthem on behalf of its customers.
- Costs of data breach is likely to exceed $100,000,000.
Indicators of Compromise
Anthem and WellPoint Name Change
In November 2004 Anthem Insurance Company acquired WellPoint Health Networks. As a result of the merger, Anthem Insurance Company rebranded itself WellPoint, Inc.
Ten years later, in December of 2014, WellPoint, Inc. changed its name to Anthem, Inc.
Malicious Domains Registrations
In April 2014, the domain name we11point.com (with the numeral one masquerading as l’s) was registered in China. Subdomains including myhr.we11point.com, hrsolutions.we11point.com, and extcitrix.we11point.com were also set up mimicking the domain structure of WellPoint, Inc., as it existed in April 2014.
Given that the company name changed from WellPoint to Anthem the use of malicious WellPoint domains may have been overlooked. It is considered a best practice to register domain names that are similar to or variations of the actual domain names that an organization uses in order to prevent fraudulent activity.
Remote Database Access
A backdoor process that allowed for remote database access and exfiltration of records was installed at Anthem by the intruder.
Backdoor processes that are installed by trojan or other malware can be extremely hard to find. If a rootkit accompanied the installation of a backdoor, looking in the connection list for suspicious connections and processes may not help. That’s because a rootkit will often contain the tools that it needs to keep that its malicious programs out of the process and connection listing.
It’s easiest to find malicious backdoors when they are actually in use. That’s where traffic analysis can help identify the malicious traffic as suspicious.
How Could This Breach Have Been Prevented? (Lessons Learned)
Email Phishing Controls
Email phishing appears to have been how the intruders gained access to Anthem’s network and databases. Phishing is not “a very sophisticated external cyber attack” as claimed by Anthem’s CEO. Email phishing attacks are perhaps the least sophisticated attack methodology used and is also perhaps the most often used attack method.
Why? Because it works. Because everybody has email. Therefore, everyone is a potential target. The sheer volume of email can be hard to monitor effectively. Phishing is low in cost to the attacker. The marginal cost of the next phishing email sent is negligible. Therefore, it is easy to keep sending phishing email. Eventually, the attacker will get through, especially if the email recipient is expected to act as a security control and filter their own email.
Because of all these reasons, an email proxy service that manages email and protects against spam and phishing should be employed. An email proxy service can, at the very least:
- Filter out spam
- Virus check email
- Remove attachments to email, either globally or selectively
- Remove or disable any links embedded in email
- Quarantine suspicious email
Additionally, phishing “tests” can be conducted by the organization to see who falls for the attack and needs training. Resources like the Anti-Phishing Work Group (www.awpg.org) can help with education on phishing attacks and defense.
Separation of Duties: Database Administration
- Should the compromise of a single database administrator’s credentials have led to a complete compromise of the database? Never.
- Should compromised network credentials also permit database access? Never.
- Should there be different role definitions with different access levels and task differentiation for database administrators, database architects, application database administrators, database analysts, and data warehouse administrator? Always.
- Should any of these roles allow for an unfettered ability to export 80 million records outside the organization? Never.
Separation of duties has long been used in the physical world to ensure that a single individual cannot perform tasks that have a high potential for loss or damage. For example, two people are needed to open the safe in a bank, two people are required to sign checks over a certain amount, two individuals are required to turn the missile launch keys, etc.
In information technology, separation of duties has long been part of the software development life cycle (SDLC), so that no one person is in a position to introduce fraudulent or malicious code or data into a system.
In a SQL database environment a lack of separation of duties is often cited as a common configuration vulnerability. Database vendors are providing better tools to permit better separation of duties. Traditionally, to prevent one administrator from copying an entire database, databases have been spread across several server instances with each instance requiring different administrators to access.
If confidentiality of data is desired, then the best way to achieve confidentiality is through encryption. Encrypted data has a utility value of zero until it’s unencrypted. If encrypted data is stolen, the value of the data to the thief is also zero. Assuming the use of a strong encryption algorithm and strong keys. Some compliance regulations, including HIPAA, do not require the reporting of information as lost if it’s encrypted.
The problem with encryption is that businesses are be afraid of it. Businesses are afraid of losing access to their data if control over the keys is lost. Key management is not easy and can be expensive to implement across an organization. In the case of Anthem, there have been statements that encryption is cumbersome and impedes access to data and therefore impedes business. An Anthem spokesman has also been quoted as saying “…that no amount of encryption would have prevented this attack” because an administrator account had been compromised.
That statement from Anthem assumes that a single administrator account would have had access to all data across the organization and access to all the keys needed to unencrypt the data and that the administrator’s role definition would have permitted export of the database.
None of this needs to be true. The statement regarding administrator access almost seems to be used to justify the position that encryption is hard to implement and manage and impedes business and that it wouldn’t have protected the data anyway, so why bother? What is really being highlighted here is not that encryption is flawed, but rather that how the access control system is configured may be flawed to the point that it provides a single point of failure for encryption architecture.
That position misses the point that encryption is part of a data protection strategy, not the entire strategy. Data encryption is part of an overall enterprise data protection policy and plan based on risk management and includes other elements such as access control, data classification and management of identification, authorization, accountability, availability, configuration and incident response.
When a database is suddenly accessed by a previously unknown remote system, shouldn’t that event be noticed and responded to? Yes.
If 80 million customer and employee records are streaming out of a database and the network, shouldn’t that be an event that is noticed and responded to? Yes.
The unfortunate truth is that many organizations have no idea what or why information is flowing from point ‘A’ to ‘B’, including its most critical information.
Network monitoring technology that can help an organization understand where information is flowing to and from, who is using what information and where they are using it. Network monitoring can help protect massive outflows of employee records, credit card transaction records is available and should be utilized.
Malicious Domains Registrations
Organizations should try to register domain names that are similar to its actual domain names in order to prevent malicious domain registrations. Including domain names that substitute characters as in the we11point.com domain.
In order to communicate with individuals whose personal, employment and medical data was disclosed as a result of this breach, Anthem set up a website at http://www.anthemfacts.com. This website contained a letter from Anthem’s CEO apologizing for the breach as well information on how to sign up for identity theft repair and credit monitoring services.
Interestingly, the domain anthemfacts.com was registered on December 14, 2014. That’s four days after Anthem claims the breach began but six weeks before Anthem claims to have detected the breach. Interesting.
Clearly, there was more that Anthem could have done to notice indicators of compromise, changes in network traffic and trends in phishing attacks. Anthem could also have employed what are considered to be best-practices including encryption, separation of duties with strong role definitions and access control.
Is Anthem alone in needing to do more to protect their information? Certainly not.
Could your organization be doing more? That’s for you to decide.