Tag Archives: Premera

Premera is still stuck in my mind

9 April 2015

Every data breach tells a story. Since only the attacker has the detailed story board we are left to guesswork about the plot of the cyber-attack. But from the sometimes weeks later published really interesting news about a cyber-attack we could try to create our own rough storyboard.

The lessons learned from the plot of a cyber-attack

  • May show the weak points of our defense system, or
  • May support us in evaluation of our defense system and the residual risk we take, or
  • May support us in developing appropriate counter measures.

I’m in particular interested in the beginning of the story (the initial attack vector). And of course in the development after gaining access to a company’s network.

In the next weeks I like to develop a plot of the Premera cyber-attack. I would be pleased if you would join me in this journey. Suggestions and comments are highly welcome.

Here’s some food for thought. Dan Bowman writes in ‘Premera knew systems were vulnerable prior to attack’ published 19 March 2015:

Premera’s systems initially were breached on May 5, 2014, but were not detected until Jan. 29 of this year.’

How could attackers stay undetected for nearly nine month? Any ideas?

Have fun!

Lessons learned from the Premera cyber-attack – Always the same passwords lead to a disaster!

2 April 2015

Do you have a favorite password? Maybe something like ILovePeteSinceFeb2010? Not bad at all, easy to remember, and easy to crack.

When I build my first Windows NT 3.5 domain I had to enforce the password rules of my organization. The most annoying rule for the users was the Password History. We had to configure Windows to remember ten passwords.

We started without a Minimum Password Age (the period of time in days that a password must be used before the user can change it) and found that many users changed their password ten times within a short period to keep their favorite password.

When we introduced the minimum password age it came to a near-uprising. 20 years later, the users get accustomed to the minimum password age of one day.

It’s all the more surprising, that on some of the Premera systems a minimum password age was not enforced last year. In the Final Audit Report of the UNITED STATES OFFICE OF PERSONNEL MANAGEMENT, dated 28 November 2014, we read on page 5:

Password History Configuration

Premera has implemented a corporate password policy that is applicable to all infornation systems on the network. However, we performed automated configuration compliance scans that indicated that several systems did not limit the time between password changes.

This configuration would allow users to circumvent Premera’s password history requirement by changing their password multiple times within a short time period and then reuse their initial password.

That’s really bad. If an attacker has guessed a password, the missing minimum password age and the user’s convenience supports him to stay in the system.

As always we have to deal with people and process issues. The technology was still there, but not used to enforce the rules.

Never say die!

How to Mitigate the Risk of Cyber Attacks? The Principle of Least Privilege shows the Direction!

21 March 2015

Lysa Myers writes in ‘Premera Breach: Healthcare businesses in the crosshairs‘, published on 18 March 2015 in welivesecurity.com about ‘five things businesses should be doing to help decrease risk and mitigate damage in case of a breach.’

I find it most remarkable that one of her recommendations is to enforce the Principle of Least Privilege in daily business. In my opinion this is the right step in the right direction.

Enforce the principle of least privilege across the entire IT infrastructure and application stack and you will gain back control.

For example, access to the company network should be granted only to those people who need this to do their job. In addition, access should only be possible during standard working hours, and, in the best case, from a single computer at a time.

This will prevent attackers from accessing the company network outside the working hours and from using an account during working hours from another computer.

From this example it becomes clear that to enforce the Principle of Least Privilege changes have to be applied to all sides (People, Processes and Technology) of the Golden Triangle of IT security.

In addition, the principle of Separation of Duties should be enforced for access to business critical information. In any case, access to critical information should be approved by the information owner. In the best case, access should only be possible if the information owner and the employee are logged in at the same time in the application system.

Enjoy Lysa’s post, and have a good weekend.

Premera hacked – 11 million financial and medical records stolen

19 March 2014

When news about the Premera hack showed up in my mailbox this afternoon I was really amazed. The second time for this year a health insurance company was hit.

On skim reading the news about the Premera attack I wondered, when the magic word encryption would appear the first time. Finally I found this statement in Warwick Ashford’s post ‘Premera hack exposes 11 million financial and medical records’. Richard Blech, chief executive of security firm Secure Channels, said:

“With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes.”

Richard Blech talks about encryption at the application level. Application level encryption is not as useless as database level transparent encryption in the defense against attackers.

But even application level encryption is almost useless in the case of malicious insiders because, apart from the fact that they use stolen login data, they sign in to the company just like a normal employee. Therefore they are able to access even data which are encrypted on the application level, because they are authorized to do this.

In my opinion, to use advanced encryption as the core process of a protection strategy is as irresponsible as to use no encryption at all. Strict Identity and Access Management, combined with Two Factor Authorization for all employees, and regular security trainings create the first and second line of defense. Encryption is the last line of defense.

Take care!