In previously criticizing the Anthem breach, I focused on preventative technologies. Clearly, identity and access management (IAM) makes cyber attacks difficult to launch. Equally crucial, IAM systems enable rapid remediation. They provide controls to automatically decommission compromised accounts, orphaned servers and passwords.
During the Dropbox credential spoof, I highlighted online behaviors criminals hope to exploit. I also promised to blog on safeguarding against state sponsored cyber assaults. Now, conspiracy theorists may readily see the correlation. For most, customer data, spoofed credentials and state cyber attacks seem disconnected.
Yet, Brian Krebs reports a state-sponsored espionage group as responsible for Anthem’s breach. Which raises a few questions. Like, why is a government pilfering through 80 million medical records? How does Anthem’s breach relate to the Dropbox spoof? And to make this a true conundrum, add the elements: What do these events; Sony and UK GSI cyber attacks share in common?
The link between the cyber attacks lies in state sponsored phishing.
State-Sponsored Cyber Attacks Are Different
Generally speaking, cyber criminals are looking for "pump and dump" profits. They seek vulnerable targets across industries. They quickly upload mass data to sell for counterfeit credit cards.
State sponsored groups raid embassies, government agencies and private sector for intelligence. Favorite industry targets include energy, finance, manufacturing, and now health care companies. In most cases, information is stolen for competitive advantage. In the case of Anthem, the intent was phish bait for state sponsored targets.
As another important difference, state sponsored cyber attacks target specific individuals. They are not random acts. Naturally, you would think CEOs are the chief target. However, this is not the case, because they are routinely audited. At Anthem, GSI and Sony, the targets were system administrators and technical employees. Typically, state sponsored groups hone in on the following people. They seek privileged accounts, shared access, super users and executive proxies.
Governments Harvest Information for Phish Bait
To connect the dots, let’s address why governments harvest health records. They look for clues to use in phishing specific targets. Consider the many spoofs you could extrapolate based on someone’s health information. (Start with prescription drugs, vitamins, supplements, medical research, exercise programs, diet, food, nutrition, support groups, surveys, forums, lifestyles, language, culture, age, and just keep going.)
Bar none, no one spoofs, like government groups. In many countries, governments offer job security and employ the best talent. With such resources, they can endlessly spoof someone’s critical interests and vulnerabilities.
For security attacks, cyber criminals require a point of entry to networks. Phishing lets a hacker establish a beachhead to launch an attack.
An Identity and Access Management Security Culture
In my blogs, I advocate self-service identity and access management improves security. IAM tools along with a rapid response clearly lower your risk profile. Yet, identity management solutions and response teams together cannot guarantee better results. IAM tools require another ingredient as a catalyst against cyber attacks. They need to manifest a security culture to deliver optimum value.
A construction saying goes, "a carpenter is as good as his tools." This statement assumes a carpenter knows a tool and its advantages. This premise certainly holds true for self-service identity and access management tools. Regardless of their utility without security awareness, these solutions likely go underutilized.
Similarly, a security culture establishes a frontline deterrent against government-sponsored phishing attacks. Highly targeted groups must be made aware of the risk they pose. Individuals with privileged accounts and shared access should recognize they are targets. Organizations must counter human vulnerabilities that inadvertently expose operations with training. Security vulnerabilities are not resolved solely by technology. They represent on-the-job assumptions and human behaviors embedded in a company’s culture. Ultimately, a security culture raises awareness around activities that may otherwise seem benign. To deter state attacks, start with training and cultural change.
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.