Lessons from Anthem attack

An attack on Anthem, the second-largest health insurer in the U.S., which exposed identifiable personal data of tens of millions of people, has again put cyber security in the spotlight, especially as identity theft is on the increase in South Africa, says DOROS HADJIZENONOS.

According to the Southern African Fraud Prevention Service, identity theft, which costs the economy R1 billion a year, increased 16% between 2012 and 2013 and was expected to rise further in 2014. Protecting organisations and safe-guarding the personal data of clients, staff and other stakeholders will become crucial, especially as companies move to comply with the Protection of Personal Information (POPI) Act and other data protection legislation.

The attack on Anthem was probably not a smash-and-grab raid but instead a sustained, low-key siphoning of information over a period of months. The breach was designed to stay below the radar of the company’s IT and security teams, using a bot infection to smuggle data out of the organisation.

According to statements released by Anthem, the first signs of the attack came a few weeks ago when an IT administrator noticed a database query was being run using his identifier code when he had not initiated it. The company determined that an attack had occurred, informed the FBI and hired an external security consultant to investigate.

Investigators reported that customised malware was used to infiltrate Anthem’s networks and steal data. The exact malware type was not disclosed, but is reported to be a variant of a known family of hacking tools. However, an independent security consultancy reports that the attack may have started up to three months earlier. The consultancy said that it noticed ‚Äòbotnet type activity’ at Anthem affiliate companies back in November 2014.

This would not be surprising, as long-term bot activity is commonplace in enterprises. Check Point’s 2014 Security Report, based on monitored events at over 10,000 organisations worldwide, found that at least one bot was detected in 73% of companies, up from 63% the year before. 77% of bots were active for over four weeks, and typically communicated with their ‚Äòcommand & control’ every three minutes.

Don’t be a victim

Bots are able to avoid detection because their developers use obfuscation tools to enable them to bypass traditional signature-based anti-malware solutions. As such, threat emulation, also known as sandboxing, should be used as an additional layer of defence to stop bots before they can infect networks. Anti-bot solutions should also be deployed to help discover bots and prevent further breaches by blocking their communications.

It’s also important that organisations segment their networks, separating each segment with layers of security to prevent bot infections spreading widely. Segmentation can contain infections in one area of the network, mitigating the risks of the infection accessing and breaching sensitive data in other network segments.

With these three preventative approaches, companies can dramatically reduce their exposure to the type of slow, stealthy bot attack that appears to have struck Anthem, and avoid being the victim of such a large-scale breach.

* Doros Hadjizenonos, Sales Manager of Check Point South Africa

* Follow Gadget on Twitter on @GadgetZA