Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anthem Blocking Federal Auditor From Doing Vulnerability Scans

Posted by samzenpus on from the suspicious-behavior dept.

chicksdaddy writes Anthem Inc., the Indiana-based health insurer, has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do. This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.

116 comments

  1. no need by turkeydance · · Score: 3, Insightful

    Anthem already knows its vulnerability.

    1. Re:no need by Anonymous Coward · · Score: 0

      Anthem already knows its vulnerability.

      And how many NSA backdoors will this "security scan" add?

    2. Re:no need by eric_harris_76 · · Score: 1

      And besides, NSA is probing it now. Or its UK counterpart is doing it for them, in exchange for a probing of a UK site.

      --
      There's no time like the present. Well, the past used to be.
  2. Sorry, we don't do pentesting... by Anonymous Coward · · Score: 0

    ...we wouldn't want to interfere with the free flow of information out of our network.

  3. LOL! by MakersDirector · · Score: 1

    OPM. Ok. Who invented this agency??

    Sorry to say. But there's no way I'd let them in my doors either. Where's the credibility nowadays?

    WTG Anthem! NO MEANS NO!

    1. Re:LOL! by sumdumass · · Score: 3, Informative

      Congress created this agency years ago (1883 i think) when it passed the civil service act into law.

      It's a central office in charge of federal government employees and administrates their benefits and retirement packages as well as wage tables and so on. You can think of them as the HR department on a grand scale.

    2. Re:LOL! by ihtoit · · Score: 4, Insightful

      Anthem need to learn the rules of the playground and start abiding by them, if I were the Fed I'd be shutting their arses down until they comply. No? You're telling me "NO"?? Fuck you. Get the fuck out of my playground.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    3. Re:LOL! by Anonymous Coward · · Score: 0

      As someone whose information was leaked by Anthem, all I can say to you is die in a fire.

    4. Re:LOL! by ihtoit · · Score: 1

      your issue isn't with me, your issue is with Anthem.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    5. Re:LOL! by fustakrakich · · Score: 1

      Precisely! What is the issue here? If they want our money they will open their books.

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:LOL! by Anonymous Coward · · Score: 0

      Even though the law doesn't give you that privilege? You sound like a great candidate for the Ferguson Police Chief.

    7. Re:LOL! by WeeBit · · Score: 1

      What rules?

    8. Re:LOL! by ihtoit · · Score: 1

      how about data protection laws, for a start?

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    9. Re:LOL! by Anonymous Coward · · Score: 1

      Um, HIPAA and HITEC give them the right. These laws state that OPM is to investigate ANY breach related to PHI for a covered entity.....

    10. Re:LOL! by Anonymous Coward · · Score: 0

      Anthem need to learn the rules of the playground and start abiding by them, if I were the Fed I'd be shutting their arses down until they comply. No? You're telling me "NO"?? Fuck you. Get the fuck out of my playground.

      They are a typical corporation. They know they are vulnerable and just don't care. If they are audited they will doubtless be told to fix stuff which would cost them money, so they don't want to be audited. If I was the Fed I would move all policies for federal employees and anyone using Obamacare to other providers and list ongoing security concerns as the reason.

    11. Re:LOL! by Anonymous Coward · · Score: 0

      Of course my issue isn't with you, I wasn't talking to you, I was talking to MakersDirector.

      Now, if MakersDirector is an alternate account of yours, yes, I do have an issue with you. You are saying that what Anthem did is a good thing. So, FOADIAF.

    12. Re:LOL! by __aaclcg7560 · · Score: 1

      But there's no way I'd let them in my doors either.

      Pray that you never get a federal job. OPM conducted my background investigation for a security clearance. My two-hour routine interview turned into a four-hour nitpicking interview. Being single and staying in the same studio apartment for nearly ten years was considered odd. Working a weekday job and a weekend job for a year, and having multiple overlapping contract jobs for several years, was odder. Not being able to remember every detail of every job I had to take since the Great Recession was oddest. When asked if you're going to commit terrorist acts against the U.S.A., always tell the truth.

    13. Re:LOL! by HornWumpus · · Score: 1

      What would you do to the federal reserve and their audit refusal?

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    14. Re:LOL! by Anonymous Coward · · Score: 0

      Even though the law doesn't give you that privilege? You sound like a great candidate for the Ferguson Police Chief.

      In this situation based on the source there doesn't seem to be anything to legally compel Anthem to open their network to a government auditor.

      I wonder if there is anything that legally compels the government to offer/use Anthem services to millions of public sector workers?

    15. Re:LOL! by ihtoit · · Score: 1

      wow, how dangerous is it to fuck with the Fed? Let's ask Messrs. Lincoln and Kennedy...

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    16. Re:LOL! by ihtoit · · Score: 1

      nope, he's not me. And I hope Anthem gets told which country they can carry on this type of behaviour in (one without data protection laws, maybe?)

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    17. Re:LOL! by ChoosyBeggar · · Score: 1

      We're talking about the Federal Reserve, right? The one that wasn't created until 1913, right? In that case, we'd better stop tying this to Lincoln unless you've got some kind of evidence that the Federal Reserve somehow dates back to Lincoln's time. Otherwise, we discredit the considerable idea that Kennedy was indeed assassinated by such powerful interests, and not just some lunatic.

    18. Re:LOL! by WeeBit · · Score: 1

      Apparently that does not mean much to Anthem. Since Anthem wants to play hardball, and brazen enough to tell the Feds no. Then I suggest the Audit should happen. Perhaps if the public were to be notified that Anthem is no longer accredited, or secure they will change their tune? We have to test out the data protection laws on someone, Anthem looks to be the one to test on. They brought it on themselves.

      I would not back down until they were audited. Sorry but personal records are at stake.

    19. Re:LOL! by Bill+Privatus · · Score: 1

      O/T: There was no Fed before 1913. However, we've had one form or another of a national bank for much longer; the story of how Andrew Jackson stared down Nicholas Biddle and put a leash on the Second Bank of the United States is quite a different story. Perhaps it was this which you attempted to reference...but even then, the BUS lost.

      --
      Redundancy is good; triple redundancy is twice as good! - Me.
    20. Re:LOL! by MakersDirector · · Score: 0

      Ok, Chicken Little.

    21. Re:LOL! by MakersDirector · · Score: 0

      LOL EVEN MORE! Your information was leaked? THAT'S AWESOME! It couldnt have happened to a better person!

      LOL!!!

    22. Re:LOL! by MakersDirector · · Score: 0

      Anthem needs to learn the rules?

      Well at least you drew a pretty awesome analogy to it being a playground as you lashed out like a child.

      Look, let's be clear.

      To me, this isn't a playground.

      It's a place where grownups play.

      And unfortunately, in the corporate world, new 'state' and 'federal' agencies with self proclaimed oversight crop up daily.

      Now as a company doing any kind of business, a company would go absolutely insane and quite literally never get any business done trying to appease every single one of these so called agencies.

      So there comes a point where these companies - DO THEIR best to appeal to their population. CSR helps establish a valuable modus operandi for supporting the general public....

      And learn to say no such as Anthem has demonstrated.

      Watch the tv show Supernatural. When you say you are representing 'The Feds', nowadays - most people in the corporate world recognize it's a witch hunt.

      The FEDS need to clean up THEIR act and those they govern and THEN (and only then) the corporate world will start respecting those who represent them as credible.

  4. Company Policy? by Anonymous Coward · · Score: 3, Funny

    "Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems."

    Seems a little late for that now, doesn't it?

    1. Re:Company Policy? by Anonymous Coward · · Score: 0

      As a person who performs SCA's/Red Team's of healthcare systems you would be shocked the number of High findings and the lack of POAM/Remediation that has occurred over the last 2 years......

      IoT is only going to make this worse and you better get savy learning how to block/turn off stuff you dont want being transmitted....

    2. Re:Company Policy? by Anonymous Coward · · Score: 0

      What about their other company policies to protect data? Do they have any of those? If so they clearly failed. Now another organization that has employees that were affect by this want to take a look at your security or lack there of. How about we all not chose to use Anthem and their products. How about companies actually doing the right things as far as protecting data. Corporations don't appear to want to spend money and resources on setting things up properly, furthermore when TLA's are able to intercept shipments of gear and implant new chips into the gear and send it on it's way security loses all of it's meaning, because all the data is being intercepted at the hardware layer. Here's a good example of companies skirting responsibility. A company handles your PCI data in a manual fashion now, they plan on pushing this data to the cloud and let someone else deal with it. They refuse to correct their internal network as a PCI platform and therefore restructure things to meet PCI compliance internally. "We don't have the resources to do it."
      So you went into business to make money, but not insure that others data in regards to their money are protected. BRILLIANT!!! So here we are, we never planned....we don't want to spend money to protect our clients. This irritates me to no end and makes me point to lazy behavior. So you would rather not pay now to prevent, but pay in N+N later when the problem surfaces.

  5. Well... by Anonymous Coward · · Score: 5, Funny

    I think they already allowed third party access. What's a few more.

  6. The industry needs more regulation by mysidia · · Score: 5, Insightful

    We need regulation....

    Insurers aren't mandated to comply — though most do.

    They should be required to pass their audit or pass an audit by a 3rd party auditor who is approved by the OIG.

    Failure to comply should result in fines and bar them from writing or acquiring any more insurance policies, until they do.

    Also, in the event of a breach at this juncture, there should be a financial penalty for their negligence.

    1. Re:The industry needs more regulation by LifesABeach · · Score: 3, Funny

      Anthem is an obvious corporate risk; shut them down. Then put all of their clients on Obama Care.

    2. Re:The industry needs more regulation by bouldin · · Score: 3, Interesting

      This will definitely provide fodder for all the class action lawsuits that are in the works.

      I wonder just how reckless a business has to be with their security before they risk charges of criminal negligence.

    3. Re:The industry needs more regulation by bouldin · · Score: 1

      You're being sarcastic, right? "Obamacare" doesn't insure people. There was no public option In the healthcare debate.

    4. Re: The industry needs more regulation by Anonymous Coward · · Score: 1

      As an Indiana resident, Anthem is essentially my only ACA option already.

    5. Re:The industry needs more regulation by Anonymous Coward · · Score: 0

      Failure to comply should result in fines and bar them from writing or acquiring any more insurance policies, until they do.

      This. Insurance companies need a federal license to operate. Feds only have to say, "nice money you have there, but, no thanks!"

    6. Re:The industry needs more regulation by ckatko · · Score: 2

      >We need regulation....

      This is hilarious. Every day slashdotters either complain that it's *obvious* we need less regulation. And in a separate thread, it's *obvious* we need more regulation.

    7. Re:The industry needs more regulation by Anonymous Coward · · Score: 0

      So because some "slashdotters" complain about regulations, that means all "slashdotters" feel that way. Fucking A are you dumb dumb dumb.

    8. Re:The industry needs more regulation by Anonymous Coward · · Score: 0

      AMEN. As one whose data was breached, I wish they had allowed that scan back in 2013! The federal employee market, including retirees, is huge, and earns them quite a bit of cash.

    9. Re:The industry needs more regulation by Anonymous Coward · · Score: 0

      Well, there was a public option in the debate. Unfortunately, Lieberman joined the 40 Republicans in the Senate and filibustered it to death.

    10. Re:The industry needs more regulation by Mr.+Shotgun · · Score: 3, Insightful

      This is hilarious. Every day slashdotters either complain that it's *obvious* we need less regulation. And in a separate thread, it's *obvious* we need more regulation.

      *protip* slashdotters as you so put is is not a hive mind, people post here from all walks of life and have differing opinions. In fact I have seen opinions from both sides of the political spectrum that have been rated +5 insightful in the same thread. And they were both right, it was insightful and made you think. The last thing this site needs is to become an echo chamber of samethought and goodthink. If you are looking for that there are plenty of other websites out there, may I recommend Tumblr or yahoo news?

      --
      Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
    11. Re:The industry needs more regulation by Anonymous Coward · · Score: 1

      Also, in the event of a breach at this juncture, there should be a financial penalty for their negligence.

      Fines Remain Rare as Health Data Breaches Multiply
      on Tuesday March 03, @04:51AM
      from the cost-of-doing-business dept.

      tt2024432 writes:

      Since October 2009, [US] health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office for Civil Rights, affecting upward of 41 million people. They’ve also reported more than 120,000 smaller lapses, each affecting fewer than 500 people.

      In a string of meetings and press releases, the federal government’s health watchdogs have delivered a stern message: They are cracking down on insurers, hospitals and doctors offices that don’t adequately protect the security and privacy of medical records.

      But as breaches of patient records proliferate – just this month, insurer Anthem revealed a hack that exposed information for nearly 80 million people – federal overseers have seldom penalized the health care organizations responsible for safeguarding this data, a ProPublica review shows.

    12. Re:The industry needs more regulation by mysidia · · Score: 3

      This isn't inconsistent. On the whole we do need less regulation. I would agree with that. There should be little regulation, but it should be effective regulation.

      There should also be a concept of "temporary regulation".... for example: We see this widespread abuse, so for the next 5 years you all have to do X, and if you shape up, then you industry players can decide how to do it afterwards, BUT you will be fully on the hook financially, for negligence, if you do X and it causes damage to people.

      There are some subjects or some elements in certain industries that need more regulation, because it's become the "industry standard" to abuse consumers, or people are unfairly being put at risk to save $$$ or safe face for some Mega Co, when Mega Co is essentially a local monopoly or nearly so.

    13. Re:The industry needs more regulation by Anonymous Coward · · Score: 0

      HIPAA and HITEC are to apply to Insurance companies too..... Just sayin

    14. Re: The industry needs more regulation by Anonymous Coward · · Score: 0

      This post is reason to comply. I am sorry this post alone released part of the security infrastructure Tivoli and made it public. Which makes anthem even more vulneable.

    15. Re:The industry needs more regulation by Errol+backfiring · · Score: 1

      Only companies (and government institutions) complain that we need less regulation, especially in their field. Most slashdotters are outraged about what the companies and institutions get away with.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    16. Re:The industry needs more regulation by LifesABeach · · Score: 1

      If one has Obama Care, does one need health insurance?

    17. Re:The industry needs more regulation by Anonymous Coward · · Score: 0

      Here's how auditing typically works. Company X points the auditors to what they can look at and audits do not dig into the details to verify the place is secure and doing things properly. Those that are wise make it a priority because they want to keep their customer base and pay attention to the details.

  7. underscores the need for govt regulations by Anonymous Coward · · Score: 0

    This is why we need government regulations: to enforce a bare minimum of corporate behavior.

    Now where are all the shills who can tell us about how efficient private enterprise is, and how freedom=no regs on big business?

    1. Re:underscores the need for govt regulations by Anonymous Coward · · Score: 0

      because all the existing government regulation on healthcare has been notably successful, indeed sir.

    2. Re:underscores the need for govt regulations by Anonymous Coward · · Score: 0

      What a compelling argument! You've convinced me. All regulation is bad.

  8. Anthem is normal here by dave562 · · Score: 5, Insightful

    I work for an organization that hosts PII for a number of large public companies. We are constantly asked about vulnerability scans and about 50% of the clients want to scan our networks themselves. We do not allow that.

    The compromise is that we conduct bi-weekly scans with Rapid7, and hire from a rotating list of third parties to conduct yearly vulnerability assessments of our applications and infrastructure. We make the high level results of those scans (number of vulnerabilities found) available to the clients. We also have to put up with the occasional fire drill like Heartbleed. During those situations, we deploy the patches as soon as we can test them, and then provide letters of attestation to any client who wants / needs one.

    While some clients complain, they eventually come around when we explain to them that it is for their own safety and the protection of their information. We are in a situation where we retain data for companies who are in direct competition with each other. When push comes to shove, we sometimes have to explain that, "Just like we will not let you scan our network for vulnerability, we will also not allow your direct competitor to scan our networks either."

    1. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      One significant difference here is that the government is the one asking, not a private business. While your company may hold data of multiple competing businesses, it probably doesn't hold the data of competing countries, at least it shouldn't be holding it on servers in the US. My company deals with data from businesses around the world and they all are very particular about where their data is allowed to reside.

    2. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      Firstly, we're assuming that you're not full of shit on the rotating scan roster. Yes, I can fabricate the results of most systems and I work in the industry. Secondly, it's the Feds. You will capitulate if requested, as will Anthem.

      I trust you cunts as far as I can throw you.

    3. Re:Anthem is normal here by bouldin · · Score: 1

      You seem to be arguing that disallowing third-party scans is normal, but you admitted your company allows Rapid7 to conduct biweekly scans.

    4. Re:Anthem is normal here by Anonymous Coward · · Score: 2, Interesting

      I work for a large multinational in the human capital management space and we let a select number our customers do penetration testing. Our customers range from Fortune 500 to government agencies in the US and EU. It is not an unheard of practice, and I would argue it is quite common for these requests to come up, especially during contract negotiations.

    5. Re:Anthem is normal here by dave562 · · Score: 1

      I could have made that more clear. We license Rapid7 and use their tools to conduct internal tests of the systems on a bi-weekly basis.

    6. Re:Anthem is normal here by dave562 · · Score: 1

      We are in the same situation and we have data centers spread around the globe to deal with data privacy and jurisdictional considerations.

    7. Re:Anthem is normal here by dave562 · · Score: 1

      How do you deal with things like re-tests and conflicting priorities for remediation? For example, client wants vulnerabilities patched in one week but the next maintenance window is for two weeks.

    8. Re:Anthem is normal here by ColdWetDog · · Score: 3, Funny

      I work for a large multinational in the human capital management space and we let a select number our customers do penetration testing. Our customers range from Fortune 500 to government agencies in the US and EU. It is not an unheard of practice, and I would argue it is quite common for these requests to come up, especially during contract negotiations.

      My little firm can't afford stuff like that. So we outsource our testing to China and Russia - they charge a lot less.

      Seems like they're always falling over each other to try and accommodate us.

      --
      Faster! Faster! Faster would be better!
    9. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      Care to speak about a Federal Auditor wanting to scan your network? Against a scenario like the the large breach that Anthem suffered?

      Certain clients, and 3rd parties? Sure I can see Anthem refusing. Federal Auditors after getting caught with your pants down? That's suspicious if not willful neglection! I'd almost state that makes them legally liable for any secondary breaches within the immediate future. Their insurance underwriters, whoever is backing them, should be chiming in here.

    10. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      So.....you falsify the results yourselves, do you?
      I bet you don't even scan all of the network devices in your central office.

    11. Re:Anthem is normal here by bouldin · · Score: 4, Insightful

      That sounds reasonable to me. If were running a security group, I would take care of as much in-house as I possibly could. I especially wouldn't allow business partners to scan my gear.. There is just too much risk there.

      There are a couple differences with Anthem, though.

      1. 1. They are being audited by regulators, and your business-to-business relationships are different.
      2. 2. Anthem was not able to document its internal vulnerability scans, while it seems like your company is diligent about this.

      Here's a quote from the OIG:

      "However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."

      That sounds more like a company with shoddy security trying to hide its failings behind a specious policy.

    12. Re:Anthem is normal here by jafiwam · · Score: 2

      Bypassing your security is easy. Step 1, Bad Guy kills your dog in front of you. Step 2, Bad Guy then puts the gun to your head and starts removing body parts till Bad Guy has access. Lets face it, its not exactly the Bad Guys problem that you are bleeding to death on your carpet. It's a hell of a plan you've got.

      Why is it you liberal idiots always assume only bad guys have guns?

      Step 0, bad guy spotted on approach and hit three times in the gut with .357 rounds. Better yet, a 12 gauge at the doorway.

      Maybe YOUR plan is give up your tender butthole. Not everybody is like that.

    13. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      My company does similar. We have roughly 3500 active clients at any time. Many are some of the largest most recognized companies in the world. Each of these companies have requirements of what we can and can't do with their data and how we secure our network. For the most part, our average policies similar to yours meet most of their requirements for security and reporting.
      Over time though a lot of our bigger clients want something over the top and we have to implement it. Like password requirements of say 16 characters with a number, special character, case, and some others like a 30 day change rate as well. Another wanted 5 invalid logins for an account to get locked out. Those are great but make for internal IT nightmares. Just about no one in our company can change their password with getting constantly locked out for a few days. If you change your pass at your PC but were logged into another computer or remote desktop session somewhere else or have OWA on your phone then you get locked out before you can even put the new password in those devices. Several want no data in the public "cloud" unless nothing leaves our network that was encrypted by us with keys that only we maintain. A lot of our clients and our company do not want our data to be mined and looked at even by the NSA by going to Amazon/Azure and requesting it (although even with our own encryption, I'm sure they can). That one is BIG and prevents us from using a lot of cloud services like Office 365, hosted email, just about any collaborative cloud storage service etc..

    14. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      I see you like thinking about "tender buttholes".

    15. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      External testing is done within a defined window, and what and how is reported to us prior to the testing. This is not the case of us allowing our customers to do whatever they want, whenever they wish. Although we use the multiple tenant model, our product portfolio is diverse and we have many environments for the various pieces, sometimes spread across different geographic locations, interconnected internally. There are situations where we run separate environments for a customer, such as government agencies.

      If vulnerabilities are found, patching depends on what is broken. We have to identify if it is part of our application stack or infrastructure. Generally, we stick to our patch schedule, however we have a process for emergency patching. When and what to patch is evaluated by the various engineering and operations teams within the company and the change management group makes the final decision. The customer never dictates the patch schedule.

    16. Re:Anthem is normal here by LifesABeach · · Score: 1

      Damn, first time an A/C made spit coffee all over my keyboard. LOL

    17. Re:Anthem is normal here by ihtoit · · Score: 1

      HIPAA covers unintentional breaches as well for the simple reason that unintentional breaches SHOULD NOT BE POSSIBLE.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    18. Re:Anthem is normal here by Kirth · · Score: 1

      Why won't you allow that? Criminals, including secret services, do it too, As long as you know what you're doing, it really shouldn't matter.
      Of course, I wouldn't give them any special access to do it.

      --
      "The more prohibitions there are, The poorer the people will be" -- Lao Tse
    19. Re:Anthem is normal here by Anonymous Coward · · Score: 0

      I understand and agree with above. The way to get around that is to should surf, perform a scan using CIS/NIST/DISA benchmarks and working with the SCA team(s) Show me the hash of the benchmark you use and then run the scan while I'm present and I'm good for the most part. IF that is not being allowed then they should be dealt with.

  9. Mmm hmmm by Rick+Zeman · · Score: 1

    Anthem is citing "company policy" that prohibits third party access to its network

    I guess the hackers didn't read--or failed to abide by--that policy. Kind of like "gun-free zone" which only deters the law-abiding.

    1. Re:Mmm hmmm by Anonymous Coward · · Score: 0

      Why does the federal auditor even need permission?

    2. Re:Mmm hmmm by LifesABeach · · Score: 1

      Who dares, wins.

    3. Re:Mmm hmmm by Anonymous Coward · · Score: 0

      I'd personally prefer the government to follow the laws everyone else has to abide by. They fail to do that enough as it is, I'd rather not give more allowances for them to not.

    4. Re:Mmm hmmm by ckatko · · Score: 1

      The government never follows the law when it involves protecting people's civil liberties. Why the fuck should it follow the law when it audits itself or its contractors? Are contractors unable to pass secrets to foreign governments?

    5. Re:Mmm hmmm by Anonymous Coward · · Score: 0

      Ah here we go. The shill twists around a private company fuck-up into somehow being the government's fault.

      By the way, since you didn't even read the fucking summary, we aren't talking about a contractor.

  10. There's a diff between "Blocking" and "Refusing" by jddj · · Score: 3, Interesting

    If they can actually block the scans, that'd be... well...more secure than their track record indicates.

  11. Anthem is a publicly traded company by hamjudo · · Score: 5, Interesting
    Anthem is traded on the NYSE under the symbol WLP.

    They should be required to file an 8K form to legally inform all of their stock holders that they have material news that may adversely affect their future stock price, or even company viability.

    After having been informed of extreme security issues on our network, Anthem Inc has elected to ignore the situation. Furthermore, Anthem Inc's network is so embarrassing, that Anthem Inc has decided to risk significant fines and legal expenses, rather than allow adults to see just how bad it is.

    Translation, shareholder lawsuits may be addressed to Joseph R. Swedish, et al.

    1. Re:Anthem is a publicly traded company by turp182 · · Score: 2

      Seems like a clear cut Sarbanes-Oxley problem as well, an external audit would seem to be required given the intrusion they suffered.

      --
      BlameBillCosby.com
  12. Because They've Been Hacked by Anonymous Coward · · Score: 3, Informative

    Through no real choice of my own, WellPoint/Anthem was involved in some of my shit (they were behind the only decent plans my employee offered, though they weren't branded as WellPoint/Anthem anything). They leak data frequently.
    About once a year I get a notice saying my shit has been leaked and that they're providing "identity protection" bullshit as compensation. My current pointless "protection" plan is handled by some clowns called FraudStop.

  13. simple answer by ihtoit · · Score: 4, Insightful

    STOP THEM FROM OPERATING. Prohibit them from carrying out a single transaction until they comply with Federal requirements. Fuck them, if they don't want to abide by the rules, we'll take their fucking marbles off them and kick them out of the playground.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    1. Re:simple answer by Anonymous Coward · · Score: 0

      Speaking as someone with BCBST insurance, that is not an acceptable option.
      Withholding medical care because of a management spat would be negligent and career suicide for anyone trying it.

      It says something pretty dark and callous about the crowd here that your idea has been modded up to the maximum possible score. There are other ways to pressure the company without maximizing the collateral damage, like just freezing all forms of executive compensation.

    2. Re:simple answer by ihtoit · · Score: 1

      if you have a problem with your insurance underwriter being shut down by the Fed for misbehaving, that's something you have to take up with THEM, not ME. That's what corporate liability is for.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    3. Re:simple answer by Anonymous Coward · · Score: 0

      > that's something you have to take up with THEM, not ME.

      It is your idea. There is no such policy on the books.
      Like I said, dark and callous. Are you on the spectrum or something?

    4. Re:simple answer by bill_mcgonigle · · Score: 1

      Prohibit them from carrying out a single transaction until they comply with Federal requirements.

      You'd be less incensed if you read the summary. And you'd have fewer upmods if the moderators did too. Sheesh.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:simple answer by ihtoit · · Score: 1

      yes. Are you that fucking stupid you'll sue anyone who happens to be around when they have fuck all to do with your problem?

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    6. Re:simple answer by Anonymous Coward · · Score: 0

      Withholding medical care

      I'm constantly explaining this to people. Medical care != medical insurance. Medical insurance is about payment; the transaction takes place long after the service is provided.

    7. Re:simple answer by Anonymous Coward · · Score: 0

      The other AC didn't say anything about suing you. You are, however, advocating for a bunch of people getting screwed over. That is something the AC has every right to take up with you, and if your proposed solution to the problem will create more problems for those involved (you know, the victims of the whole situation...) then you don't get to claim you have "fuck all" to do with it.

  14. Nice policy you've got there. Would be a shame if by jtownatpunk.net · · Score: 2

    According to this article, Anthem is citing "company policy" that prohibits third party access to its network...

    Sounds like y'all'd better beef up your security because, if they manage to access your network, you've violated company policy by allowing it to happen.
    The government isn't bound by your company policy.

  15. On the other hand ... by sk999 · · Score: 2

    The place I work is required to allow itself to be scanned, both from outside and inside the network perimeter. However, whenever the auditors show up to do their inside scanning, we have to disable a number of security systems so they can "do their job". Kinda defeats the whole purpose, but whatever makes the auditors happy.

    1. Re:On the other hand ... by SJ · · Score: 2

      Not really...

      Just because your firewall drops a port-scan (simple terms here) doesn't mean that someone won't get lucky and guess an open port and exploit it.

      The Auditors want to know if you're patching your systems.

      No point leaving the combination to the safe on a sticky note next to it, and then saying "it's ok. I always lock my front door".

    2. Re:On the other hand ... by Anonymous Coward · · Score: 0

      My kingdom for a mod point good sir.

  16. March is colon cancer awareness month by Anonymous Coward · · Score: 1

    From the hero graphic on Anthem's site:

    March is colon cancer awareness month
    Find out how screening save lives.

    The irony wasn't lost on me...

    1. Re:March is colon cancer awareness month by ihtoit · · Score: 1

      heh, yeah. I'll undergo a colonoscopic exam AFTER Anthem do.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  17. only 2 years security audit??? by Anonymous Coward · · Score: 0

    I happen to be one of the millions of customers whose credentials (SSN, birthday, etc.) may have been stolen in this Anthem security failure. Ditto for my family members.

    I also happen to have been possibly compromised in the Target and Home Depot leaks.

    Target and Home Depot offered one year of security monitoring. Anthem offered two years.

    For the former two companies, presumably the violator got only my credit card information. That's a bother, but manageable, and the card issuer would likely eat any lossage. (Yet customers eventually fund their losses, and they are simply too lethargic to do things right.) But Anthem seems different. While their offer for two years of monitoring seems generous at first, I fully expect two years from now to have the same SSN and birthday that I have now, Unfortunately, in the financial security practices currently in practice in the USA, these two items and a little more publicly-obtainable personal info is all it takes to establish a new credit account. After two years I will still be vulnerable to criminals who have a little patience.

    To the extent that financial monitoring is effective, and until US financial purveyors adopt saner practices, why shouldn't Anthem offer me free monitoring tor lifetime plus one year, after which a SSN becomes public and essentially worthless to criminals?

  18. Or intercept traffic and see the port scan by Anonymous Coward · · Score: 0

    Post Snowden, they just look at the logs and see what the port knocking sequence is.

  19. Shutdown -hell yes now by blang · · Score: 1

    Health care companies cannot operate without a license.

    Just remove their license, or forever remain a toothless laughing stock.

    --
    -- Another senseless waste of fine bytes.
    1. Re:Shutdown -hell yes now by ihtoit · · Score: 1

      This.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  20. Re:The industry needs LESS regulation by Anonymous Coward · · Score: 1

    No, no no! The Free Market will solve this problem. The Market Solves ALL problems! We should just de-regulate everything because regulation is EVIL!

    That way, Anthem will no longer have to waste money on compliance so they can spend it on productive things like buying up all the competition.

  21. I say Bullpoop ! by Anonymous Coward · · Score: 0

    Anyone getting (massive piles of) money from the Feds has already signed enough of their rights away.

    If they expect to keep doing business, they will permit a reasonable inspection of the network.

    It's not like the government is stealing the data, is it?

    My guess is they use lots of microsoft windows servers unpatched with default/global passwords, unix servers with lots apps running as root & global file permissions, on a network without many firewalls. And the internet links are not well sercured.

  22. Yeah, and...? by txmason · · Score: 1

    Scan them anyway? What, are they going to use harsh language?

  23. More than meets the eye by Loki_1929 · · Score: 1

    The typical compromise (see what I did there?) when a customer or Federal Government auditor wants to run scans of any sort on your private network is to agree on tools (to be provided by the auditing group if you don't already have them) running an agreed configuration/profile/whatever against an agreed limited scope target list (typically a VLAN or set of VLANs unless that entire network is devoted to just that one customer, which is sometimes the case, though less so these days with public/private/hybrid clouds being all the rage). When it comes to web application and database testing, you'll typically agree on a non-production target list that's a mirror of the production system (with appropriate verification of the two being a mirror outside the automated testing) so as to avoid impacting the production systems. When it comes time to run the tests, over-the-admins'-shoulder monitoring ensures the proper tools with the proper configurations hitting the proper targets is being done and that the output is being handed over unaltered.

    Seen this done in plenty of places and 99% of the time, the auditing group is fine with it because at the end of the day, it's getting them exactly what they want; just in a slightly more red-tape riddled way. Meanwhile, the group being audited has the assurance that nothing is running wild all over their network unsupervised. If you don't have anything to hide, you're typically fine with this approach. If you aren't fine with this approach, something else is going on behind the scenes and most of the time that'll be something you're trying to hide.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
  24. Somebody please... by WeeBit · · Score: 1

    List the rules that these companies have to abide by because I can't find them.

  25. Their security must suck by rossz · · Score: 1

    Earlier this week I put in a request for pen-testing a new server I had completed. I think it's secure, but that isn't my area of expertise, so I have the experts kick the shit out of my server to see if anything falls over.

    --
    -- Will program for bandwidth
  26. Enough scans for everyone! by Threni · · Score: 2

    Believe me, they'll be getting vulnerability scans whether they want them or not! (They just won't get the results in their chosen format!)

    On the internet, everyone gets a free pentest!

  27. Two scenarios. by 140Mandak262Jamuna · · Score: 3, Insightful
    Scenario 1:

    Dear Investigator,

    We understand you suspect our CEO was doing insider trading and want access to our server logs to find evidence of guilt or innocence. While we appreciate your conscientiousness, we regret, we do not allow third party access to our servers. We thank you for your understanding. Hoping this would buy us enough time to sanitize our server logs, Yours, Gofly Akite, for Dewy Chetham and Howe.

    SEC investigator: eh? well, OK, Guess I tried, so I have covered my ass

    Scenario 2:

    "Hey Police officer, you want to search my car for pot? I know you are just doing your job, but sorry buddy, my policy is not to allow any third parties into my car. Hope you understand"

    Police Officer: "Keep your hands visible, and slowly exit your vehicle, turn around put your hands on the hood and bend over..."

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  28. Idiotic Comments by Anonymous Coward · · Score: 0

    Let's review the situation. A customer, the U.S. Government, entered a contract with a private company (private property) that has specific terms. If the private company with private property did not include in its contract that vulnerability scans are permitted, then too bad customer. Go shop for services elsewhere. Punish them with by taking your money (tax dollars) to a vendor who does what you want.

    Forget the regulation BS and audits. That will only lead to government control of everything. The most effective and efficient way to get good services is let the money do the talking. But no. We have politics here. I am sure that someone greased the hands of politicians campaign funds to be sure to get that government contract.

    1. Re:Idiotic Comments by ihtoit · · Score: 1

      uh, no. When a Government agency puts a contract out to tender, THEY SET THE TERMS. This INCLUDES random penetration testing and periodic data security/integrity auditing. A contractor who does not agree with any terms of contract may NOT change said term, may NOT negotiate on said term, may NOT make a conditional bid.

      (citaiton: I have completed Government contracts. Can't say any more under 1911 c.28 section 2).

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  29. I've played this game before... by Anonymous Coward · · Score: 0

    Security auditing company comes in and tells management to "drop their pants" on all of the standing network security. Management makes ops and engineering "drop their pants" so that auditor can "get an accurate picture of internal operations." Auditor then dings ops and engineering for everything they dropped their pants on. Don't play the game. Make them work for it the same way a black hat would have to.

  30. Multiple types of scans by phorm · · Score: 1

    There are a variety of different scans.
    There's simple stuff like "is this port open when it shouldn't be", or "can I get to this host which should be firewalled"
    Then there "when I connect to Apache on host X, is it running a version with known vulnerabilities. Are they patched"

    Finally there's
    "Is host X running exploitable Y which is currently protected by Z, but could be exploited if A, B, or C happened"

    For the last one, it's still important to identify vulnerable software even if it's not accessible by a firewall, etc. Why? Because things change. Maybe somebody opens a port by accident, and suddenly that vulnerable box isn't behind a firewall anymore. Maybe it was intentionally opened as a new service needed to be able to hit the box, but nobody know about the pre-existing security hole.

    Keep in mind that these scans generally aren't 24/7, so you fix whatever you can find when you run them. In good practice, they should also be run on any boxes that are *going* to be provisioned to production, but aren't yet. That means you need special access through the firewall etc so that you can scan stuff before it goes life.

  31. Their mistake - by choke · · Score: 1

    ...was in not publishing those policies to the hackers that got in earlier. If only they had known that there was a company policy against it, it could have saved everyone a lot of extra work.

    All things considered though, this arrogance seems in line with a place who doesn't know their own vulnerabilities. I'd wager this isn't the first time they have been compromised and this is just defensive turtling to try to hide facts.

    --
    "No good deed goes unpunished"