Was the Anthem Data Breach "Sophisticated"?

Anthem CEO Joseph R. Swedish apologized to Anthem members immediately after the December 2014 data breach was made public, saying "Anthem was the target of a very sophisticated external cyber attack." Swedish continued, in what may become a model for such apologies:

Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.

It's a nice trick to have the CEO of a major healthcare payer -- a man whose total compensation package for fiscal 2013 was $16,979,927 -- come across as one of us, just another victim of cybercrime.

But was the Anthem hack really a sophisticated attack?

Dan Munro at Forbes quotes security analyst Ken Westin:

Because it was clearly pre-meditated and because the attackers spent time identifying the vulnerabilities, it definitely qualifies as well executed, but once the initial intrusion was successful, they didn’t have too far to look. By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time.

There is some speculation that the initial breach at Anthem occurred much earlier than the December 2014 public announcement, perhaps as early as April 2014, and that it was a result of the Heartbleed Bug.

Munro also discusses the earlier CHS and Sony hacks, noting that they too were described as sophisticated or "unprecedented" attacks, and that numerous security analysts had thrown cold water on those descriptions. Let's face it: no board of directors is going to say that they were victims of an attack that a five-year-old could have perpetrated. The PR front likely bears little resemblance to what is going on behind closed doors, where damage is being assessed, and governance, risk management and compliance are being reassessed.

There are always the nagging questions: What should you have known? When should you have known it? Did you exercise due diligence?

I once heard an auditor defined as the person who walks onto a battlefield after the battle is over and bayonets the wounded. I'm not sure that's an apt description of an auditor, but it's a pretty good description of the audited. 

Security Blogging - A Stitch in Time…

For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

By Rick Epstein

Have you ever heard someone rationalize an important decision with a folksy saying? It may make one seem wise at the time, but you should be aware that, for every such "wise" saying, there is generally an equally wise and opposite saying. For example, "look before you leap," but "he who hesitates is lost."

If your rationale for not reconsidering your SAP BusinessObjects security model is "If it ain't broke, don't fix it," then my reply to you is that "A stitch in time saves nine." You won't know whether it's broken until you look.

There are, of course, other sorts of objections to taking action that I hear over and over again from normally risk-averse people who don't want to address necessary changes to their SAP BusinessObjects security model.

Here are the top five:

We don't have any data that needs to be secured.

Great. Just publish it all on the Internet. No? Every company has private data that they don't want to share with competitors and/or the public. The only difference is the degree to which a breach will hurt. What is your pain threshold?

We don't have time right now.

What will it take to get your attention? Delaying the discussion of your SAP BusinessObjects security model will almost inevitably lead to an unanticipated security breach. Implementing a well designed security model is an investment. Prioritize and make the time.

We don't have money in the budget.

Budgets are expressions of priorities. If you don't have money in the budget, then you need to re-examine your priorities. The potential cost to your company -- in terms of both money and reputation -- in the event private information is viewed by an unauthorized person or persons far exceeds what it would cost you to analyze and reengineer your SAP BusinessObjects security model.

Why should we change? Our security model works fine.

If it seems as though the pain of change is too much to bear, ask yourself how you will feel about the pain of regret. It is quite likely that there are unknown security holes in your security model. Designing and implementing a security model using a true top-down methodology is the only way to ensure that there are no such holes.

We don't have resources who know enough…
…about SAP BusinessObjects security to instantiate a true top-down security model. Then I guess today is your lucky day. Please reach out to me at repstein@resolvitinc.com. I would be glad to provide some tips and tricks and answer some questions in a 1-hour free consultation.