Even if Anthem Had Encrypted, It Probably Wouldn’t Have HelpedBy Rich
Earlier today in the Friday Summary I vented frustrations at news articles blaming the victims of crimes, and often guessing at the facts. Having been on the inside of major incidents that made the international news (more physical than digital in my case), I know how little often leaks to the outside world.
I picked on the Wired article because it seemed obsessed with the lack of encryption on Anthem data, without citing any knowledge or sources. Just as we shouldn’t blindly trust our government, we shouldn’t blindly trust reporters who won’t even say, “an anonymous source claims”. But even a broken clock is right twice a day, and the Wall Street Journal does cite an insider who says the database wasn’t encrypted (link to The Verge because the WSJ article is subscription-only).
I won’t even try too address all the issues involved in encrypting a database. If you want to dig in we wrote a (pretty good) paper on it a few years ago. Also, I’m very familiar with the healthcare industry, where encryption is the exception more than the rule. Many of their systems simply can’t handle it due to vendors not supporting it. There are ways around that but they aren’t easy.
So let’s look at the two database encryption options most likely for a system like this:
- Column (field) level encryption.
- Transparent Database Encryption (TDE).
Field-level encryption is complex and hard, especially in large databases, unless your applications were designed for it from the start. In the work I do with SaaS providers I almost always recommend it, but implementation isn’t necessarily easy even on new systems. Retrofitting it usually isn’t possible, which is why people look at things like Format Preserving Encryption or tokenization. Neither of which is a slam dunk to retrofit.
TDE is much cleaner, and even if your database doesn’t support it, there are third party options that won’t break your systems.
But would either have helped? Probably not in the slightest, based on a memo obtained by Steve Ragan at CSO Online.
The attacker had proficient understanding of the data platforms and successfully utilized valid database administrator logon information
They discovered a weird query siphoning off data, using valid credentials. Now I can tell you how to defend against that. We have written multiple papers on it, and it uses a combination of controls and techniques, but it certainly isn’t easy. It also breaks many common operational processes, and may not even be possible depending on system requirements. In other words, I can always design a new system to make attacks like this extremely hard, but the cost to retrofit an existing system could be prohibitive.
Back to Anthem. Of the most common database encryption implementations, the odds are that neither would have even been much of a speed bump to an attack like this. Once you get the right admin credentials, it’s game over.
Now if you combined with multi factor authentication and Database Activity Monitoring, that would have likely helped. But not necessarily against a persistent attacker with time to learn your systems and hijack legitimate credentials. Or perhaps encryption that limited access based on account and process, assuming your DBAs never need to run big direct queries.
There are no guarantees in security, and no silver bullets. Maybe encrypting the database would have helped, but probably not the way most people do it. But it sure makes a nice headline.
I am starting a new series on datacenter encryption and tokenization Monday, which will cover some of these issues. Not because of the breach – I am actually already 2 weeks late.
It just all depends. For example, health insurers often have to exchange large data sets with other participants in the payment system. Thus there could be a legit reason to pull a large percentage of the private information in the database.
Nice article. Thank you!
A question on your statement around DAM and 2FA not being effective as well. I am curious as to your thoughts on how they could be ineffective against a persistent actor. I can think of a scenario or two but am interested in your thoughts, wherher/how they would be bypassed, compromised etc.
By Kamal Govindaswamy
Once again, it’s about Identity, Access and Monitoring.
This isn’t complex, it’s just damn hard….
By David Mortman
Once a digital clock is broken, it is not right at any time. You must be dating yourself back to the days of analog :)