In light of the recent Anthem intrusion that seemingly comes right on the heels of Sony’s experiences, perhaps, as is frequently said after the latest and greatest breach, it’s time to look once more at our respective security postures.
But first, let’s look at a couple things about the Anthem announcement that struck me as remarkable: It appears, at least for the time being, that, despite what we may have expected, Anthem is reporting information such as health records and payment information weren’t compromised. Instead, they lost personal identifying information (PII). The question running through my jaded mind is: Is that all?
Granted, losing PII is bad enough. In fact, it is terrible. Customers rightfully expect their data to be protected and losing enough information to possibly take over identities is no trivial manner. But, how much worse could it have been? Of course, there could be four tons of iceberg underneath the hundred pound block of ice and Anthem has lost more data than currently reported. But it appears that some of Anthem’s day to day security procedures worked and limited the damage. A responding security firm says they have not seen any evidence of continued malicious access at Anthem which is remarkable.
So, while it is early, Anthem’s breach does not appear to be a blockbuster when compared to the amount and types of data lost during other breaches like Sony. If this turns out to be the case, what makes it seem like less of a blockbuster?
Well, let’s look at a couple nuggets of information available to the discerning reader. Anthem apparently announced the breach very shortly after they discovered it. As others may have noted, it is unusual for a breach victim to publicly announce the incident before investigating fully. Typically we read of a third party, frequently law enforcement, notifying a breach victim they are compromised but Anthem reportedly detected unusual database access activity that led to the breach discovery. Anthem and outside security firms then took immediate steps to stop unauthorized access associated with the breach, thus resulting in the lack of indications the attacker or attackers were still exploiting the targeted data at the time of the reporting.
So, a couple of these facts got me to thinking ahead about minimization. Specifically, I started thinking about the minimization of bad things perpetrated by bad people. The now ubiquitous statement attributed to FBI Director Mueller resonates as we read again and again about breach victims, “there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Experience tells us that Director Mueller was spot on with this statement. Yet I get the impression that a lot of folks discount it. They think “it won’t happen to me” or, foolishly, “it can’t happen to me.” So, do we just give up and resign ourselves to the inevitable? Of course not, we focus on controlling our own risk by identifying, managing and minimizing our risk factors as much as possible.
As we read and anticipate updates to the Anthem incident, we should take a look at our own security plans and processes. At the same time, we should determine if our risk has changed since the last time it was evaluated. Critical questions we need to ask ourselves include:
- What data is important to the business, to the customers, to employees?
- Given the importance of that data, are the containers and access procedures sound enough to reasonably protect that data?
- Does a particular server housing particular data really need to be exposed to the Internet?
- Does a particular data source really need to be accessible to administrator level users accessing it from the other side of the world?
- If so, is there a smarter way to allow that access?
- Have we leveraged VPNs and multi-factor authentication where appropriate?
- Have we restricted the number of privileged database users?
- If bad people start doing bad things in our environment, regardless of origin, can we see them doing so?
- Do we have suitable visibility around the data that is most important to the business and stakeholders?
Maybe, just maybe, if we ask and answer questions like these about our security, and then act on those answers, contrary to what most publicity hounds and entertainment professionals shoot for, we can avoid the blockbuster premier, or even sequel, and go straight to DVD.