Encryption Probably Wouldn’t Have Prevented the Anthem Breach

Anthem’s announcement of a breach to 80 million customer medical identity records in early February motivates an update to my After the Breach series and my 10-year U.S. breach table. The series is also morphing into a source of unconventional wisdom: we continue to see too much mis-characterization of risk in the industry. Last time we questioned advanced persistent threat (APT)-related fear, uncertainty and doubt (FUD). This time we’ll debunk some encryption-related myths. To begin, let’s look at Anthem in context.

Key: The table’s red lines indicate credit card or social security number data was lost. Orange lines variously indicate breach of encrypted financial information, non-financial personal information, passwords and related information, but not credit cards.

 What Happened?

On December 10, 2014, cyberattackers compromised a database owned by Anthem Inc., the second largest U.S. health insurer. The scope of the breach isn’t fully understood, but sources consider it likely that a majority of the 80 million records contained in the company’s Teradata warehouse were exposed.

This breach affects current and former Anthem plan members. According to Anthem, one in nine Americans have medical coverage through one of their affiliated plans. All of this data, in the wrong hands, can be sold for profit, used to conduct Medicare fraud or to accomplish complete identity theft.

How did it happen?

Building on CSO Online’s analysis, which itself pieces together the attack from various sources, I hypothesize that the attack went down more or less as shown in the figure below.

Mis-characterization of Threat Actors Causing Breaches

In my previous post I wrote about a catalogue of breaches from 2014 from Riley Walters at the Heritage Foundation. The Heritage article takes every opportunity to cite “China.” The NSA also gets into the act with the announcement that Foreign Powers Steal Data on Critical U.S. Infrastructure. 

And now, according to CSO Online: “Soon after Anthem announced the breach, several media outlets reported that China was to blame. The source of those claims were anonymous people familiar with the investigation – allegedly they worked with FireEye (Mandiant). FireEye denied these claims as soon as possible, but by the time their statement hit the media, the rumors had spread. Many of those reporting the claims have yet to retract them and update their stories.”

Gotta love FUD. Bottom line, maybe it was China and maybe not. Indications are that the “compromise credentials” and/or the “query database” steps may have been a bit more complicated than I show them in the attack graph above, but they’re still not rocket science. To find the real enemy we only need to look closer to home.

Mis-characterization of Encryption as “The Solution”

According to Bloomberg, a California woman on Thursday accused Anthem of failing to properly secure and protect its customers’ personal information. She seeks to represent all other customers who have been affected by this massive data breach.

“It appears that Anthem’s security system did not involve encrypting Social Security numbers and birth dates –- two of the most valuable pieces of information that a thief can have,” Susan Morris said in her complaint filed in federal court in Santa Ana, California.

For that quote alone, I’m inclined to hope Morris loses her case. I’ve heard this tripe, from a neighbor no less uttering the question: “Why don’t they just encrypt it all?”

 Arrrggghhh. Do what? Bulk encryption? Whole disk encryption or file encryption may help you if a backup disk of the database falls off a truck but does no good when the attacker has the admin credentials. Hello! Look up at the attack path figure, which shows it would be relatively easy to get the admin credentials.

Securosis does a good job of expressing the frustration of the cognoscenti among us, and providing some analysis of why even a more granular database encryption tool probably couldn’t have prevented the Anthem breach. 

What we Have Here…May be a Lack of Privileged User Management

Securosis wrote: “Of the most common database encryption implementations, the odds are that neither would have even been much of a speed bump to an attack like this. Once you get the right admin credentials, it’s game over.”

Am I the only one sensing a recurring theme here? Most of the breaches I learn about have been made easy by a lack of privileged user management at the victim company. The titles of the posts below should be just a bit suggestive of the problem:

• Sony Hack: Just Another Privilege Escalation?
• Lateral Movement: There’s no Patch for Privilege Escalation
• The Soft Underbelly of IT Security

What we’re saying is that most of the attacks we see don’t require a intelligence agency, just a intelligent criminal able to compromise an admin’s computer, and (if necessary) “move laterally” through the “soft underbelly” of IT systems which tend to put too much trust into weak admin credentials, or to trust admins too much. How else could someone like Snowden get so much data, even from the NSA?

Anthem did one thing right: they employed at least one database administrator with good security awareness. According to a memo quoted in the CSO Online article: “On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”