By Roy, on May 4th, 2016

Quoted from the official Anthem message to their customers:

 

“To Members:

 

On January 29, 2015, Anthem, Inc. (Anthem) discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers who were or are currently covered by Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem. Anthem believes that this suspicious activity may have occurred over the course of several weeks beginning in early December, 2014.

 

As soon as we discovered the attack, we immediately began working to close the security vulnerability and contacted the FBI. We have been fully cooperating with the FBI’s investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to assist us in our investigation and to strengthen the security of our systems.

 

Information Accessed

 

The information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data. We have no reason to believe credit card or banking information was compromised, nor is there evidence at this time that medical information such as claims, test results, or diagnostic codes, was targeted or obtained. “

 

It is widely known now from press releases and Anthem announcements that the attackers who targeted and stole more than 80 million customer records from Anthem Inc, were able to gain the credentials of at least five different employees. At least one admin account was compromised, as the admin himself noticed his credentials were used to query the Anthem data warehouse.

 

 

Getting the Admin credentials might be made by the following course:

 

1. finding database admins email address in social networks.

2. Sending a Phishing e mail with attached malware that will bypass antivirus mechanisms.

3. Log in with the Admin credentials, if there were any- disable the data encryption for the data warehouse.

4. by pass DLP systems due to the admin credentials.

 

Assuming that was the well planned and sophisticated attack, the wick link here is that there was only one authentication mechanism and after login as admin the attacker is unstoppable. In this case the vullnerability is not caused by lack of encryption (even if the data is encrypted a user with admin credentials can decrypt the data) but by lack of hardening rules and access control procedures. The  vulnerability here is not in the software, hardware  but in the configuration of the OS and application.

 

The only way to eliminate this kind of sophisticated attacks is:

1. Create and enforce a strict hardening policy.

2. Implement access control procedures in the network, which means make sure only the rught people at the right time got access the certain data.

 

in today’s cyber threat landscape it is crucial to manage a proactive approach, gone are the days of admin monitoring, today’s reality requires real time prevention of suspicious admin/attackers activity in the network.

To implement the required hardening and access control approach a strong collaboration of system and security teams is required. CalCom’s CHS can help you easily fulfill the required approach by implementing the three step process for hassle free server hardening and access control.