An Anthem to Get Behind: Enable Two-Factor Authentication

Posted on by Eric Cowperthwaite

In the security industry, we all know it’s just a matter of time, sometimes minutes, before the next breach makes headlines.

Cyber AttacksWe’re stopping and blocking attacks left and right, and it only takes that one time for a hacker to be right, that one mistake before we have to answer the question, “What happened?” The latest victim was Anthem, a huge health insurance provider who had 80 million customer and employee records exposed. 

I do think it’s a positive sign that the breach was discovered by Anthem itself, and they are also being proactive and responsible about letting the public, regulators and their customers know what has happened. Transparency – to the greatest extent possible within the context of good security and legal practices – is critical in order to reassure regulators and customers that the organization is doing the right things.

But 80 million records that include names, birthdays, SSNs, addresses, emails and even income data exposed in an industry that has had privacy and security regulations in force since 2003? It is not the focus of my post today, but clearly that focus on regulations for over 10 years has not necessarily resulted in better security.

And so, as the breach became public, “What happened?” we all cried.

There were plenty of missteps and mistakes I’m sure, but one single factor gives me pause – As we interpret what Anthem said, it is pretty clear that they were relying on single-factor authentication to prevent access to sensitive data. We know the databases were accessed using an administrator’s ID and password. It is likely, based on what we know, that the initial breach was performed through phishing, allowing malware to be inserted into Anthem’s network. How, exactly, they gained access to a highly privileged administrator’s identity information isn’t clear, yet. But to me, it doesn’t matter. If Anthem had two-factor authentication in place for all sensitive access, this probably could have been prevented.

Bad passwords get a ton of attention, but we honestly need to just get beyond passwords. In the past, two-factor authentication (2FA) was fairly difficult for most organizations to implement. Security teams had to buy physical tokens and access management systems and manage not only distributing them to each member of the workforce, but maintaining them when their batteries died, etc. Not all applications and systems supported 2FA, either. Today it is much easier to establish 2FA as a key control for access to critical data. The cost is low, the number of different platforms that can be used (e.g. physical tokens, soft tokens, smartphones) is broad and varied, and integration with internal access management platforms is straightforward. There really is no excuse for not implementing two factor authentication in any company trying to protect critical data for unauthorized access.

And let’s be honest, 2FA is not a panacea. Twitter enabling two-factor authentication was imperative from a consumer privacy and security standpoint, but for some corporate accounts with multiple managers, it’s difficult to implement. And we know social media attacks make headlines, as we saw with the U.S. Central Command Twitter and YouTube accounts being breached last month. But what is the real damage there? Let’s remember, the damage there is reputation, not the private data of 80 million users if someone gets a hold of the credentials.

When it comes to securing what is really important to your business, two-factor authentication should be a given. Once you’ve identified what’s valuable in your organization from a data standpoint, you need to focus your efforts on protecting these assets at all costs. When it comes to something like two-factor authentication, the cost and effort is now so low, you really have no excuse.

Eric Cowperthwaite

, Core Security Inc.

password management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs