Tag Archives: Premera

The Premera Plot – The PiggyPack version

13 April 2015

Have you recognized the temporal connection between the detection of the eBay data breach and the starting time of the Premera attack? The eBay data breach was made public at 21 May 2014, the assumed starting time of the Premera attack is 5 May 2014. Sounds interesting, doesn’t it?

eBay detected the breach, which happened in February/March 2014, with a delay of two month in early May. It can be assumed that the data circulated in hacker communities for several weeks, before eBay reported the data breach and the attackers published an excerpt on pastebin.com.

And, since millions of data sets were stolen, it is very likely, that login data of Premera employees were amongst this data.

All of this wouldn’t be so bad, if employees would not use their company usernames and passwords for login to non-company services as well. Unfortunately this is a widespread bad habit. Therefore it’s very likely that the stolen login data included valid login credentials of Premera employees. With this credentials the attackers were able to login to the Premera network.

This sounds really strange, but it is a definitely realistic scenario. Weaknesses in the system configuration, e.g. the missing minimum password age, support the attackers in staying undetected.

With this we get the following plot:

Initial Attack Vector

Vulnerabilities used

Missing password minimum age
Misuse of company login credentials
Missing Two Factor Authorization

Mitigation measures

People & Processes, short-term

Enhance the security policy by rules to prevent misuse of company login data for non-company services
Run an awareness campaign and communicate the policy changes to all users

People & Processes, mid-term

Restrict login times to prevent attackers from sign-in to the network outside an employee’s standard working hours
Enhance the security policy, define exceptions for handling of overtime and remote access to the company network from outside the standard working hours
Communicate the policy changes to all users

Technology, short-term

Enforce strong password history and minimum password age

Technology, mid-term

Implement measures to prevent users from sign-in to non-company owned services with company owned login data, if technically possible.
Implement Two Factor Authentication for remote access to company services

That’s it for today. Take care!

Premera is still stuck in my mind

9 April 2015

Every data breach tells a story. Since only the attacker has the detailed story board we are left to guesswork about the plot of the cyber-attack. But from the sometimes weeks later published really interesting news about a cyber-attack we could try to create our own rough storyboard.

The lessons learned from the plot of a cyber-attack

May show the weak points of our defense system, or
May support us in evaluation of our defense system and the residual risk we take, or
May support us in developing appropriate counter measures.

I’m in particular interested in the beginning of the story (the initial attack vector). And of course in the development after gaining access to a company’s network.

In the next weeks I like to develop a plot of the Premera cyber-attack. I would be pleased if you would join me in this journey. Suggestions and comments are highly welcome.

Here’s some food for thought. Dan Bowman writes in ‘Premera knew systems were vulnerable prior to attack’ published 19 March 2015:

‘Premera’s systems initially were breached on May 5, 2014, but were not detected until Jan. 29 of this year.’

How could attackers stay undetected for nearly nine month? Any ideas?

Have fun!

Lessons learned from the Premera cyber-attack – Always the same passwords lead to a disaster!

2 April 2015

Do you have a favorite password? Maybe something like ILovePeteSinceFeb2010? Not bad at all, easy to remember, and easy to crack.

When I build my first Windows NT 3.5 domain I had to enforce the password rules of my organization. The most annoying rule for the users was the Password History. We had to configure Windows to remember ten passwords.

We started without a Minimum Password Age (the period of time in days that a password must be used before the user can change it) and found that many users changed their password ten times within a short period to keep their favorite password.

When we introduced the minimum password age it came to a near-uprising. 20 years later, the users get accustomed to the minimum password age of one day.

It’s all the more surprising, that on some of the Premera systems a minimum password age was not enforced last year. In the Final Audit Report of the UNITED STATES OFFICE OF PERSONNEL MANAGEMENT, dated 28 November 2014, we read on page 5:

Password History Configuration

Premera has implemented a corporate password policy that is applicable to all infornation systems on the network. However, we performed automated configuration compliance scans that indicated that several systems did not limit the time between password changes.

This configuration would allow users to circumvent Premera’s password history requirement by changing their password multiple times within a short time period and then reuse their initial password.

That’s really bad. If an attacker has guessed a password, the missing minimum password age and the user’s convenience supports him to stay in the system.

As always we have to deal with people and process issues. The technology was still there, but not used to enforce the rules.

Never say die!

How to Mitigate the Risk of Cyber Attacks? The Principle of Least Privilege shows the Direction!

21 March 2015

Lysa Myers writes in ‘Premera Breach: Healthcare businesses in the crosshairs‘, published on 18 March 2015 in welivesecurity.com about ‘five things businesses should be doing to help decrease risk and mitigate damage in case of a breach.’

I find it most remarkable that one of her recommendations is to enforce the Principle of Least Privilege in daily business. In my opinion this is the right step in the right direction.

Enforce the principle of least privilege across the entire IT infrastructure and application stack and you will gain back control.

For example, access to the company network should be granted only to those people who need this to do their job. In addition, access should only be possible during standard working hours, and, in the best case, from a single computer at a time.

This will prevent attackers from accessing the company network outside the working hours and from using an account during working hours from another computer.

From this example it becomes clear that to enforce the Principle of Least Privilege changes have to be applied to all sides (People, Processes and Technology) of the Golden Triangle of IT security.

In addition, the principle of Separation of Duties should be enforced for access to business critical information. In any case, access to critical information should be approved by the information owner. In the best case, access should only be possible if the information owner and the employee are logged in at the same time in the application system.

Enjoy Lysa’s post, and have a good weekend.

Premera hacked – 11 million financial and medical records stolen

19 March 2014

When news about the Premera hack showed up in my mailbox this afternoon I was really amazed. The second time for this year a health insurance company was hit.

On skim reading the news about the Premera attack I wondered, when the magic word encryption would appear the first time. Finally I found this statement in Warwick Ashford’s post ‘Premera hack exposes 11 million financial and medical records’. Richard Blech, chief executive of security firm Secure Channels, said:

“With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes.”

Richard Blech talks about encryption at the application level. Application level encryption is not as useless as database level transparent encryption in the defense against attackers.

But even application level encryption is almost useless in the case of malicious insiders because, apart from the fact that they use stolen login data, they sign in to the company just like a normal employee. Therefore they are able to access even data which are encrypted on the application level, because they are authorized to do this.

In my opinion, to use advanced encryption as the core process of a protection strategy is as irresponsible as to use no encryption at all. Strict Identity and Access Management, combined with Two Factor Authorization for all employees, and regular security trainings create the first and second line of defense. Encryption is the last line of defense.

Take care!

IT Security Matters

Klaus Jochem

Tag Archives: Premera

Premera is still stuck in my mind

Lessons learned from the Premera cyber-attack – Always the same passwords lead to a disaster!

How to Mitigate the Risk of Cyber Attacks? The Principle of Least Privilege shows the Direction!

Premera hacked – 11 million financial and medical records stolen

Initial Attack Vector

Vulnerabilities used

Mitigation measures

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: