Monday, February 23, 2015

Was the Anthem Data Breach "Sophisticated"?

Anthem CEO Joseph R. Swedish apologized to Anthem members immediately after the December 2014 data breach was made public, saying "Anthem was the target of a very sophisticated external cyber attack." Swedish continued, in what may become a model for such apologies:
Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.

It's a nice trick to have the CEO of a major healthcare payer -- a man whose total compensation package for fiscal 2013 was $16,979,927 -- come across as one of us, just another victim of cybercrime.

But was the Anthem hack really a sophisticated attack?

Dan Munro
at Forbes quotes security analyst Ken Westin:

Because it was clearly pre-meditated and because the attackers spent time identifying the vulnerabilities, it definitely qualifies as well executed, but once the initial intrusion was successful, they didn’t have too far to look. By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time.

There is some speculation that the initial breach at Anthem occurred much earlier than the December 2014 public announcement, perhaps as early as April 2014, and that it was a result of the Heartbleed Bug.

Munro also discusses the earlier CHS and Sony hacks, noting that they too were described as sophisticated or "unprecedented" attacks, and that numerous security analysts had thrown cold water on those descriptions. Let's face it: no board of directors is going to say that they were victims of an attack that a five-year-old could have perpetrated. The PR front likely bears little resemblance to what is going on behind closed doors, where damage is being assessed, and governance, risk management and compliance are being reassessed.

There are always the nagging questions: What should you have known? When should you have known it? Did you exercise due diligence?

I once heard an auditor defined as the person who walks onto a battlefield after the battle is over and bayonets the wounded. I'm not sure that's an apt description of an auditor, but it's a pretty good description of the audited. 

No comments:

Post a Comment