Anthem Breach: Lessons One Year Later
What Others Can Learn About Breach Prevention, Detection and Response
… Organizations need to be far more aggressive in educating their workforce to recognize phishing schemes and implementing technical controls aimed at stopping phishing emails from penetrating their network perimeter, says Tom Walsh, founder of the security consulting firm tw-Security. “It only takes one phishing email to get through the email gateway to cause a great deal of harm to an organization,” he says.
… Mark Dill, principle consultant of tw-Security, and former long-time CISO at the Cleveland Clinic, suggests organizations use simulated phishing attacks to educate users.
“Engage a service provider or acquire a tool that proactively phishes the workforce and educates them immediately upon ‘fail,’ which means clicking on the email or clicking on the embedded link or opening the attachment,” he says. “These services or tools put the end user through a required education/tutorial – if they click – that informs they were phished/tricked and what they should have looked for to avoid being phished.”
Anti-Malware and Monitoring
Still, organizations need to take several important steps in case users fall for phishing email scams that contain malicious code or links, Dill stresses.
Those steps, he says, include ensuring that endpoint antivirus agents are up to date and using a different email filter engine than the one supplied by the endpoint anti-malware tool. Dill also suggests ensuring that Web filters are up to date to block any untrusted or new links embedded in the emails.
… Dill also suggests evaluating “user behavior analytics” tools that can highlight user ID and device behaviors that have stepped away from their normal behavior. “That’s a possible sign of system compromise via stolen credentials,” he says.
In addition, he says it’s important to monitor sequential critical database reads, which is a “possible sign of data theft in action – again, behavior that steps away from the norm – no person reads thousands of records sequentially.”
Once preventive tools are optimized, the focus should be on rolling out “detective tools” such as data loss prevention and security information and event management, or SIEM, tools “and their supporting processes and talent to run them to raise the visibility of attempted and successful malicious activity within your networks,” Dill says. “If you cannot afford these tools, consider a managed service to provide them to you without the capital expense.”
… This is a reminder for organizations to be ready “when the inevitable breach does occur,” Walsh says. “Assume that a breach like this will happen in your organization. The FBI has warned that cyberattacks to the healthcare industry will continue to rise.”
And Walsh says it’s important to consider conducting an internal audit to determine, “have we already been hacked and we didn’t even know it?”
Another key step, he says, is the development of an incident response plan that includes creating playbooks, educating the response team and conducting a tabletop drill.