Preventing Another Anthem Hack – Privileged User Management
4 min read
The Anthem hack exposed 80 million health records. Hindsight is always 20/20 and there will be plenty of woulda, shoulda, coulda finger pointing back at Anthem on what they could have done to prevent this but it’s not going to change the fact that it happened. That doesn’t mean that everyone else can’t analyze this situation and look inward to see what can be done to prevent it where you are at today.
News about how the hack was pulled off has been limited but what has been released is that it was like most other hacks of recent. Legitimate, high level accounts were compromised and used in malicious ways. These hacks whether its Anthem, Target, Morgan-Chase, etc… weren’t pulled off from frontal assaults on the network perimeters but rather socially engineered and pulled off by using real, legitimate ‘God’ accounts with all the access they hackers needed. In my opinion this is inexcusable, it’s ridiculous, lazy and can be controlled very easily but only if you have the proper internal support to implement the controls.
You may not be able to 100% prevent an action of this sophistication but with the right tools and management discipline to process you can make it far more difficult and complex to pull it off.
http://news.yahoo.com/anthem-hacker-tried-breach-system-early-dec-10-003718251–finance.html
SAN FRANCISCO (AP) — The hackers who stole millions of health insurance records from Anthem Inc. obtained the credentials of five different employees to try to penetrate the network, and may have been inside the system since December, the company says.
Hackers stole names, social security numbers and other information for up to 80 million Anthem customers. The company has said one of its computer administrators discovered on Jan. 27 that an outsider was using his security credentials to log in to Anthem’s system. Investigators now believe the hackers somehow obtained credentials of five different tech workers, possibly through email phishing attempts.
Anthem spokeswoman Kristin Binns said Friday that an attempt on the network was made Dec. 10 that had the same hallmark as the breach discovered last week, but the network’s security deflected that attempt. Binns says the data was stolen sometime after that.
When I read this article, if accurate, two sentences caught my eye. I highlighted those in red. First shocking aspect was that it was the administrators looking through logs that noticed their own accounts are active when they were not online. SIEM improvement. The second was that five other people’s accounts were obtained through phishing attempts. Lots to go over on those two sentences. Let’s start with the second part first, five tech worker’s accounts were phished. I would like to see the phishing attempts that tricked five ‘tech workers’ to use their credentials. Second, what accounts were used in this phishing attempt and what access did they have that 80 million records were stolen? Anthem trusted their employees. This was their downfall. I can say that I do not have all the details of this hack, but I do have 20+ years of experience and I can say confidently that they hired smart people and trusted them. I am sure the owners of the accounts used in the hack had all the best intentions, were devoted to the company and were not involved with anything to defraud anything. They were given keys to the kingdom and made a mistake that opened the flood gates. How do you mitigate this? The answer is simple, the implementation and governance is very, very complex, political and complicated… if you let it be.
Administrators are also known as Privileged Users. Roles within the company that have elevated access to perform their duties to keep the business functional but also have all the access to critical data and systems. Most of the time the administrators have far more access than they need under the illusion that’s what needed to perform their jobs, mainly because it’s the easiest method. Five people in the pool of thousands is easy to manage, right? One mistake from one of them can bring you to your knees. Why do companies trust so much? It’s not that the majority of the employees are devious, rather 100% of the employees are human. Humans make mistakes and regularly at the most inopportune time. Anthem appears to be the latter.
An effective Privilege User Management solution in house would have reduced the possibility of the Anthem hack to near zero if was in place and used properly.
A privilege user management system would be your vault for all the high access or ‘God’ accounts that have all he keys and access to the kingdom. Store them away and only use them when they are needed. Allowing people to have those full, super-high privileged accounts 24/7 may make their jobs easier but they are also ripe for the picking to be used improperly. Using a privileged user management system like CyberArk would make it very difficult to use those accounts without anyone knowing about it.
Having to check out an account to perform a high level administrative task, under the umbrella of a change ticket, would alert the business anytime that account was touched. CyberArk would then manage the password changing it daily automatically if you want making it that no user ever sees the password and therefore cannot be phished out of it. Simple blocks and extra procedural steps may increase internal steps to do the job would would reduce the risk of the keys to the world getting into the wrong hands.
Like all security systems and processes it comes down to the willingness of management to support their implementation or succumb to the complaints of administrators to make their lives as easy as possible.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com
Test comment.