Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government Privacy

Anthem Blocking Federal Auditor From Doing Vulnerability Scans 116

chicksdaddy writes Anthem Inc., the Indiana-based health insurer, has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do. This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.
This discussion has been archived. No new comments can be posted.

Anthem Blocking Federal Auditor From Doing Vulnerability Scans

Comments Filter:
  • no need (Score:4, Insightful)

    by turkeydance ( 1266624 ) on Thursday March 05, 2015 @07:15PM (#49192929)
    Anthem already knows its vulnerability.
    • And besides, NSA is probing it now. Or its UK counterpart is doing it for them, in exchange for a probing of a UK site.
  • OPM. Ok. Who invented this agency??

    Sorry to say. But there's no way I'd let them in my doors either. Where's the credibility nowadays?

    WTG Anthem! NO MEANS NO!

    • Re:LOL! (Score:4, Informative)

      by sumdumass ( 711423 ) on Thursday March 05, 2015 @07:56PM (#49193165) Journal

      Congress created this agency years ago (1883 i think) when it passed the civil service act into law.

      It's a central office in charge of federal government employees and administrates their benefits and retirement packages as well as wage tables and so on. You can think of them as the HR department on a grand scale.

    • Re:LOL! (Score:5, Insightful)

      by ihtoit ( 3393327 ) on Thursday March 05, 2015 @08:04PM (#49193233)

      Anthem need to learn the rules of the playground and start abiding by them, if I were the Fed I'd be shutting their arses down until they comply. No? You're telling me "NO"?? Fuck you. Get the fuck out of my playground.

      • Precisely! What is the issue here? If they want our money they will open their books.

      • by WeeBit ( 961530 )
        What rules?
        • by ihtoit ( 3393327 )

          how about data protection laws, for a start?

          • by WeeBit ( 961530 )
            Apparently that does not mean much to Anthem. Since Anthem wants to play hardball, and brazen enough to tell the Feds no. Then I suggest the Audit should happen. Perhaps if the public were to be notified that Anthem is no longer accredited, or secure they will change their tune? We have to test out the data protection laws on someone, Anthem looks to be the one to test on. They brought it on themselves.

            I would not back down until they were audited. Sorry but personal records are at stake.
    • But there's no way I'd let them in my doors either.

      Pray that you never get a federal job. OPM conducted my background investigation for a security clearance. My two-hour routine interview turned into a four-hour nitpicking interview. Being single and staying in the same studio apartment for nearly ten years was considered odd. Working a weekday job and a weekend job for a year, and having multiple overlapping contract jobs for several years, was odder. Not being able to remember every detail of every job I had to take since the Great Recession was oddest. W

  • by Anonymous Coward on Thursday March 05, 2015 @07:21PM (#49192959)

    "Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems."

    Seems a little late for that now, doesn't it?

    • by mysidia ( 191772 ) on Thursday March 05, 2015 @07:32PM (#49192997)

      We need regulation....

      Insurers aren't mandated to comply — though most do.

      They should be required to pass their audit or pass an audit by a 3rd party auditor who is approved by the OIG.

      Failure to comply should result in fines and bar them from writing or acquiring any more insurance policies, until they do.

      Also, in the event of a breach at this juncture, there should be a financial penalty for their negligence.

      • by LifesABeach ( 234436 ) on Thursday March 05, 2015 @07:51PM (#49193123) Homepage
        Anthem is an obvious corporate risk; shut them down. Then put all of their clients on Obama Care.
      • by bouldin ( 828821 ) on Thursday March 05, 2015 @07:51PM (#49193125)

        This will definitely provide fodder for all the class action lawsuits that are in the works.

        I wonder just how reckless a business has to be with their security before they risk charges of criminal negligence.

      • >We need regulation....

        This is hilarious. Every day slashdotters either complain that it's *obvious* we need less regulation. And in a separate thread, it's *obvious* we need more regulation.
        • by Mr. Shotgun ( 832121 ) on Thursday March 05, 2015 @10:40PM (#49194037)

          This is hilarious. Every day slashdotters either complain that it's *obvious* we need less regulation. And in a separate thread, it's *obvious* we need more regulation.

          *protip* slashdotters as you so put is is not a hive mind, people post here from all walks of life and have differing opinions. In fact I have seen opinions from both sides of the political spectrum that have been rated +5 insightful in the same thread. And they were both right, it was insightful and made you think. The last thing this site needs is to become an echo chamber of samethought and goodthink. If you are looking for that there are plenty of other websites out there, may I recommend Tumblr or yahoo news?

          • Only companies (and government institutions) complain that we need less regulation, especially in their field. Most slashdotters are outraged about what the companies and institutions get away with.
        • by mysidia ( 191772 ) on Thursday March 05, 2015 @11:25PM (#49194213)

          This isn't inconsistent. On the whole we do need less regulation. I would agree with that. There should be little regulation, but it should be effective regulation.

          There should also be a concept of "temporary regulation".... for example: We see this widespread abuse, so for the next 5 years you all have to do X, and if you shape up, then you industry players can decide how to do it afterwards, BUT you will be fully on the hook financially, for negligence, if you do X and it causes damage to people.

          There are some subjects or some elements in certain industries that need more regulation, because it's become the "industry standard" to abuse consumers, or people are unfairly being put at risk to save $$$ or safe face for some Mega Co, when Mega Co is essentially a local monopoly or nearly so.

      • by Anonymous Coward

        No, no no! The Free Market will solve this problem. The Market Solves ALL problems! We should just de-regulate everything because regulation is EVIL!

        That way, Anthem will no longer have to waste money on compliance so they can spend it on productive things like buying up all the competition.

      • by Anonymous Coward

        Also, in the event of a breach at this juncture, there should be a financial penalty for their negligence.

        Fines Remain Rare as Health Data Breaches Multiply [soylentnews.org]
        on Tuesday March 03, @04:51AM
        from the cost-of-doing-business dept.

        tt2024432 writes:

        Since October 2009, [US] health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches [hhs.gov] to the Office for Civil Rights, affecting upward of 41 million people. They’ve also reported more than 120,000 smaller lapses, each affecting fewer than 500 people.

        In a string of meetings and press release

  • Well... (Score:5, Funny)

    by Anonymous Coward on Thursday March 05, 2015 @07:31PM (#49192995)

    I think they already allowed third party access. What's a few more.

  • by dave562 ( 969951 ) on Thursday March 05, 2015 @07:33PM (#49193009) Journal

    I work for an organization that hosts PII for a number of large public companies. We are constantly asked about vulnerability scans and about 50% of the clients want to scan our networks themselves. We do not allow that.

    The compromise is that we conduct bi-weekly scans with Rapid7, and hire from a rotating list of third parties to conduct yearly vulnerability assessments of our applications and infrastructure. We make the high level results of those scans (number of vulnerabilities found) available to the clients. We also have to put up with the occasional fire drill like Heartbleed. During those situations, we deploy the patches as soon as we can test them, and then provide letters of attestation to any client who wants / needs one.

    While some clients complain, they eventually come around when we explain to them that it is for their own safety and the protection of their information. We are in a situation where we retain data for companies who are in direct competition with each other. When push comes to shove, we sometimes have to explain that, "Just like we will not let you scan our network for vulnerability, we will also not allow your direct competitor to scan our networks either."

    • by bouldin ( 828821 )

      You seem to be arguing that disallowing third-party scans is normal, but you admitted your company allows Rapid7 to conduct biweekly scans.

      • by dave562 ( 969951 )

        I could have made that more clear. We license Rapid7 and use their tools to conduct internal tests of the systems on a bi-weekly basis.

        • by bouldin ( 828821 ) on Thursday March 05, 2015 @09:56PM (#49193847)

          That sounds reasonable to me. If were running a security group, I would take care of as much in-house as I possibly could. I especially wouldn't allow business partners to scan my gear.. There is just too much risk there.

          There are a couple differences with Anthem, though.

          1. 1. They are being audited by regulators, and your business-to-business relationships are different.
          2. 2. Anthem was not able to document its internal vulnerability scans, while it seems like your company is diligent about this.

          Here's a quote from the OIG:

          "However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."

          That sounds more like a company with shoddy security trying to hide its failings behind a specious policy.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I work for a large multinational in the human capital management space and we let a select number our customers do penetration testing. Our customers range from Fortune 500 to government agencies in the US and EU. It is not an unheard of practice, and I would argue it is quite common for these requests to come up, especially during contract negotiations.

      • by dave562 ( 969951 )

        How do you deal with things like re-tests and conflicting priorities for remediation? For example, client wants vulnerabilities patched in one week but the next maintenance window is for two weeks.

      • by ColdWetDog ( 752185 ) on Thursday March 05, 2015 @08:29PM (#49193423) Homepage

        I work for a large multinational in the human capital management space and we let a select number our customers do penetration testing. Our customers range from Fortune 500 to government agencies in the US and EU. It is not an unheard of practice, and I would argue it is quite common for these requests to come up, especially during contract negotiations.

        My little firm can't afford stuff like that. So we outsource our testing to China and Russia - they charge a lot less.

        Seems like they're always falling over each other to try and accommodate us.

    • by Kirth ( 183 )

      Why won't you allow that? Criminals, including secret services, do it too, As long as you know what you're doing, it really shouldn't matter.
      Of course, I wouldn't give them any special access to do it.

  • Anthem is citing "company policy" that prohibits third party access to its network

    I guess the hackers didn't read--or failed to abide by--that policy. Kind of like "gun-free zone" which only deters the law-abiding.

    • Who dares, wins.
  • by jddj ( 1085169 ) on Thursday March 05, 2015 @07:47PM (#49193103) Journal

    If they can actually block the scans, that'd be... well...more secure than their track record indicates.

  • by hamjudo ( 64140 ) on Thursday March 05, 2015 @07:47PM (#49193105) Homepage Journal
    Anthem is traded on the NYSE under the symbol WLP.

    They should be required to file an 8K form to legally inform all of their stock holders that they have material news that may adversely affect their future stock price, or even company viability.

    After having been informed of extreme security issues on our network, Anthem Inc has elected to ignore the situation. Furthermore, Anthem Inc's network is so embarrassing, that Anthem Inc has decided to risk significant fines and legal expenses, rather than allow adults to see just how bad it is.

    Translation, shareholder lawsuits may be addressed to Joseph R. Swedish, et al.

    • Seems like a clear cut Sarbanes-Oxley problem as well, an external audit would seem to be required given the intrusion they suffered.

  • by Anonymous Coward on Thursday March 05, 2015 @07:49PM (#49193111)

    Through no real choice of my own, WellPoint/Anthem was involved in some of my shit (they were behind the only decent plans my employee offered, though they weren't branded as WellPoint/Anthem anything). They leak data frequently.
    About once a year I get a notice saying my shit has been leaked and that they're providing "identity protection" bullshit as compensation. My current pointless "protection" plan is handled by some clowns called FraudStop.

  • simple answer (Score:5, Insightful)

    by ihtoit ( 3393327 ) on Thursday March 05, 2015 @08:00PM (#49193193)

    STOP THEM FROM OPERATING. Prohibit them from carrying out a single transaction until they comply with Federal requirements. Fuck them, if they don't want to abide by the rules, we'll take their fucking marbles off them and kick them out of the playground.

    • Prohibit them from carrying out a single transaction until they comply with Federal requirements.

      You'd be less incensed if you read the summary. And you'd have fewer upmods if the moderators did too. Sheesh.

  • According to this article, Anthem is citing "company policy" that prohibits third party access to its network...

    Sounds like y'all'd better beef up your security because, if they manage to access your network, you've violated company policy by allowing it to happen.
    The government isn't bound by your company policy.

  • by sk999 ( 846068 ) on Thursday March 05, 2015 @08:03PM (#49193225)

    The place I work is required to allow itself to be scanned, both from outside and inside the network perimeter. However, whenever the auditors show up to do their inside scanning, we have to disable a number of security systems so they can "do their job". Kinda defeats the whole purpose, but whatever makes the auditors happy.

    • by SJ ( 13711 )

      Not really...

      Just because your firewall drops a port-scan (simple terms here) doesn't mean that someone won't get lucky and guess an open port and exploit it.

      The Auditors want to know if you're patching your systems.

      No point leaving the combination to the safe on a sticky note next to it, and then saying "it's ok. I always lock my front door".

    • There are a variety of different scans.
      There's simple stuff like "is this port open when it shouldn't be", or "can I get to this host which should be firewalled"
      Then there "when I connect to Apache on host X, is it running a version with known vulnerabilities. Are they patched"

      Finally there's
      "Is host X running exploitable Y which is currently protected by Z, but could be exploited if A, B, or C happened"

      For the last one, it's still important to identify vulnerable software even if it's not accessible by a f

  • by Anonymous Coward

    From the hero graphic on Anthem's site:

    March is colon cancer awareness month
    Find out how screening save lives.

    The irony wasn't lost on me...

  • Health care companies cannot operate without a license.

    Just remove their license, or forever remain a toothless laughing stock.

  • Scan them anyway? What, are they going to use harsh language?
  • The typical compromise (see what I did there?) when a customer or Federal Government auditor wants to run scans of any sort on your private network is to agree on tools (to be provided by the auditing group if you don't already have them) running an agreed configuration/profile/whatever against an agreed limited scope target list (typically a VLAN or set of VLANs unless that entire network is devoted to just that one customer, which is sometimes the case, though less so these days with public/private/hybrid

  • List the rules that these companies have to abide by because I can't find them.
  • Earlier this week I put in a request for pen-testing a new server I had completed. I think it's secure, but that isn't my area of expertise, so I have the experts kick the shit out of my server to see if anything falls over.

  • Believe me, they'll be getting vulnerability scans whether they want them or not! (They just won't get the results in their chosen format!)

    On the internet, everyone gets a free pentest!

  • Two scenarios. (Score:4, Insightful)

    by 140Mandak262Jamuna ( 970587 ) on Friday March 06, 2015 @08:09AM (#49195605) Journal
    Scenario 1:

    Dear Investigator,

    We understand you suspect our CEO was doing insider trading and want access to our server logs to find evidence of guilt or innocence. While we appreciate your conscientiousness, we regret, we do not allow third party access to our servers. We thank you for your understanding. Hoping this would buy us enough time to sanitize our server logs, Yours, Gofly Akite, for Dewy Chetham and Howe.

    SEC investigator: eh? well, OK, Guess I tried, so I have covered my ass

    Scenario 2:

    "Hey Police officer, you want to search my car for pot? I know you are just doing your job, but sorry buddy, my policy is not to allow any third parties into my car. Hope you understand"

    Police Officer: "Keep your hands visible, and slowly exit your vehicle, turn around put your hands on the hood and bend over..."

  • ...was in not publishing those policies to the hackers that got in earlier. If only they had known that there was a company policy against it, it could have saved everyone a lot of extra work.

    All things considered though, this arrogance seems in line with a place who doesn't know their own vulnerabilities. I'd wager this isn't the first time they have been compromised and this is just defensive turtling to try to hide facts.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...