“Just like how the financial verticals evolved to the next-generation bank heists, we will soon see attackers use health care information records to support more sophisticated business models,” said Itzik Kotler, co-founder and CTO at SafeBreach.
These attacks were successful in large part because health care companies have not traditionally invested as much on security initiatives as financial institutions have. The Anthem breach, in particular, showed how far some health care companies lag on basic security best practices. As Target shook the retail sector out of its complacency in 2014, Anthem made the health care industry sit up and notice the very real dangers it faces.
Worse, encryption practices around sensitive data had no effect. In many health care breaches, users were socially engineered out of their credentials, letting attackers easily bypass encryption controls. It doesn’t take a lot, either. Attackers stole 80 million personal records from a large health care insurance company by compromising only five user accounts, Eric Tilenius, CEO of BlueTalon, said. “Every company should ask, ‘How much data would be exposed if a user account gets compromised?’ and then work to limit that exposure,” he said.
“It doesn’t matter how strong your security platform is, if employees aren’t properly trained in best security practices, it all can go out the window,” said Garry McCracken, vice president of technology at WinMagic.
Attacks as part of a long game
Perhaps the most intriguing, significant, and shocking security incident of 2015 was the attack against the U.S. Office of Personnel Management. The personal data of millions of government employees, U.S. military personnel, and government contractors who had received background checks and security clearances were stolen. In a typical data breach, the attackers target the organization because they want the information it has. In the case of OPM, the attackers didn’t want the records simply for the sake of having them, but to obtain background information on targeted individuals.
“[The OPM breach] represents human targeting at its finest, understanding that people are our biggest security risk … our weakest link in the chain,” said Renee Bradshaw, manager of solutions strategy at NetIQ, the security portfolio of Micro Focus.
The method of attack followed a formula: Target a subcontractor in a social engineering attack and steal credentials to gain access to the network. Plant malware on a system and create a backdoor. Exfiltrate data for months, undetected. The level of poor security practices at OPM “was astounding,” including lack of consistent vulnerability scanning and two-factor authentication, as well as untimely patch management, said Bradshaw.
The OPM breach also emphasized organizations' vulnerability to social engineering. Government employees and contractors are now subject to security awareness training programs to learn about the dangers of spear phishing and other social media threats.
Sign up for CIO Asia eNewsletters.