Rich Data, Poor Security Link Hacks at OPM, Anthem
What does the Office of Personnel Management have in common with healthcare firms like Anthem and Premera? More than you think.
At first glance, there are few similarities between the Office of Personnel Management and the healthcare giant Anthem Inc. The former is a 6,000 personal independent government agency that is – in essence – the human resources department for the federal government. Anthem (fka WellPoint, Inc.) is a for-profit, managed health care giant – the largest member of the Blue Cross and Blue Shield Association, with an estimated 50,000 employees and a market capitalization of $43 billion.
From the perspective of a cyber criminal or nation-state sponsored hacker standing on the outside, however, both OPM and Anthem look very, very similar. Both are complex organizations with a history of spotty information security practices that sit on top of a mother lode of sensitive and salable data.
There should be no surprise, then, that the names of the two organizations are now being linked in continuing reports about the origin of a massive breach at OPM – first disclosed last week – in which information on more than 4 million current and former federal employees appears to have been exposed to unidentified intruders.
First the evidence (such as it is): according to a report over the weekend in The New York Times, unnamed security experts who have analyzed the OPM breach believe it is the work of the same hacking group that carried out attacks against Anthem, as well as the health maintenance organization Premera in recent months. Citing forensic evidence, the Times experts’ said the attackers were “not part of the People’s Liberation Army,” but were instead a privately contracted hacking crew that may – or may not – have links to the PLA.
As for the “why” of the hacks, you can look to the quantity and types of data harbored by all three firms. Hardly the sexiest target in the D.C. Beltway, OPM was an ideal target for malicious hackers motivated by either profit or politics. The agency has hooks into hundreds of sensitive personnel files at agencies across the government. Besides that, OPM is responsible for conducting and maintaining security clearances. The files it builds on millions of U.S. government employees and contractors – from health information to family relations to sensitive background information – are a gold mine for a foreign adversary looking to carry out online or real world identity theft attacks, espionage or even extortion.
That’s not so different from the data taken from Anthem or Premera, which included personally identifiable information on patients and family members including names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information.
In the case of Premera, health data including information on medications and diagnoses was also compromised. In all three hacks, the assumption of experts is that the stolen data was not destined for follow on “smash and grab “ attacks, but for long-term, stealthy compromises, perhaps beginning with phishing attacks or account takeovers. In all likelihood, those attacks are already taking place. As the recent spate of phony tax returns filed at the IRS indicates, would-be cyber criminals already have access to enough data to convincingly pose as individual taxpayers in search of a refund.
Simply storing lots of data wasn’t the only thing that put OPM, Anthem and Premera in the crosshairs of sophisticated cyber criminals, however. The organizations were also laggards when it came to defending their networks and data.
As this blog has noted before, Anthem’s problems were both serious and long-lived. Ironically, it was OPM auditors who, in a September 2013 report, identified a number of concerns with Anthem’s IT practices, from porous vulnerability scans that failed to include desktop systems to a loose configuration management program. At the time, Anthem shrugged off the reports, arguing that its current processes were adequate.
At the same time as it was castigating Anthem (and others) for their loose IT practices, however, OPM was struggling mightily with its own. A string of reports from the agency’s Inspector General warned of glaring and “material weakness related to information security governance.” This audit for fiscal year 2014 (PDF format), for example, notes that “eleven major OPM information systems are operating without a valid authorization,” representing “a material weakness in the internal control structure of OPM's IT security program.” The agency, furthermore, had not created an inventory of critical IT systems or configuration baselines for those systems. Nor did OPM have a “mature vulnerability scanning program” – some of the same criticisms OPM levied on Anthem and other health insurers.
Would the presence of mature information security and information management processes at these organizations have prevented them from being attacked? Probably not. But the absence of mature and robust IT security functions like configuration management, intrusion detection, vulnerability scanning and user authentication almost certainly made it easier for attackers to get access and keep access to the most sensitive assets within these organizations and, then, to move data off of their networks and into the cyber underground.
The lesson for any organization that’s in the business of collecting and storing sensitive data on its customers is clear: cyber criminals are moving beyond credit card numbers and “smash and grab.” The data harbored on your network makes you a target. The more data and the greater the diversity of that data, the bigger that target is. While there’s little that you can do to keep yourself from being targeted, there’s lots you can do to shorten the length of time that those attackers operate unimpeded from months and days down to hours or even minutes. Mature information security practices like identity management and user “least privilege” can limit attackers’ ability to move laterally on your network. Vulnerability scanning, configuration and patch management can remove easy targets for compromise. Endpoint monitoring and protection can detect attacks on individual users and systems, while data leak prevention can act as a last line of defense: spotting and blocking attempts to transfer sensitive data off your network.
Paul F. Roberts is the Editor in Chief of The Security Ledger.