Change Healthcare is the worst company I've worked for when dealing with IT and security. Lots of security theater getting in the way of the developer's machine because IT is scared of what can happen in dev and staging, whereas competent companies firewall development environments properly so it shouldn't be an issue getting root on your machine. IT monitors every single application that gets installed and scrutinizes you when it's obviously needed to do software work. Just a major pain in the ass. Inability to get root access to the machine. Overly dependent on username/password pairs to communicate between back-ends. Barely any integration testing. Mandatory drug tests.
Can't say I'm surprised that despite all this security theater, Change Healthcare still fails in many spectactular ways.
It seems like healthcare has a few tough security issues. IMHO one of the largest is that staff require immediate and transparent access and will go out of their way to subvert your effort if it restricts them, and they're correct to do so.
From a finTech perspective, the nüMedical people I've dealt with act like they won't be held liable for their lack of planning. I see funding in general at levels that require noncompliance with all kinds of regulations, and it would be easy to demonstrate the disconnect between demands given and resources provided in almost every domain by just walking through each step of a process.
I think a lot of organizations think that security is about going through the motions, or something that you can bolt on after the fact, but it's really a state of mind that needs to exist from the beginning.
UHG/Optum is just as bad...the M&A due diligence has never been decent, more of a checkmark than anything. There is a bad legacy of hiring unqualified people who are not even US citizens. The M&A should have caught the obvious control gaps, it didn't because it's a political mess with nothing but a bunch of people needing CISO or VP titles. With all the CISOs, VPs and Distinguished Engineers, any one of them or their teams should pull together a decent risk assessment for M&As.
Note that the systems that they used to measure incidents relied on a centralized point of data acquisition.
The reason those incidents aren't found is simple: too much data and too much alerts to handle, given that CSIRT teams are less than 10 people even for a company the size of Siemens, which manages all kinds of critical infrastructure (including nuclear power plants, which I'd say is far more than critical if anyone of the white house reads this).
All those elastic search based dashboards simply don't cut it, and most malware lays low for a while because they assume that nobody has petabytes of storage available due to absurd pricing for those. That's why there's literally a timeout for a couple days until the persistence and lateral movement step is done, and signs of breaches are gone because the database has to be wiped.
Also, this is the reason why bigger threat actors like APT28 and APT29 make use of social shitstorms (/pol/, kiwifarms, 4chan, anonymous groups on telegram etc) to hide their tracks. They simply flood the logs of the target's system until there's no storage capacity left to hide the actual breach of the actually targeted system.
That's why I started to push EDR into the decentralization age of networking, signing, isolation and proactive communication between peers with my startup. That's the only way to scale those kind of incident logs effectively and the only way to effectively deal with assumptions of compromise to find out which accounts have what kind of access across the network.
>The reason those incidents aren't found is simple: too much data and too much alerts to handle, given that CSIRT teams are less than 10 people even for a company the size of Siemens
Hey, wanna guess where they're trying to push AI driven "insights" right now? That's right, all of cybersecurity roles.
Rather than add headcount to teams, or spin up new teams to section off pieces of a business that might need more customized attention, AI is now being shoved down the throat of security engineers and SIRT teams to handle the massive amount of data involved and to present a human with some little nugget of information to act on, all the while sweeping away the rest as irrelevant.
Useful as a tool? Sure. Able to reduce workload on existing teams? Absolutely. Able to replace the need for more human eyes looking at the problem space and figuring out ways to filter the data for meaningful events? Eh, maybe but I'm not going to hold my breath on it either.
It's the same story with AI across every industry right now.
Most people in charge don't have a technological background, so all the AI intelligent whatever-BS systems will fail eventually due to lack of meaningfully labelled data or lack of supervision.
As long as deep learning concepts are used across the board which lose symbolic inference, this approach won't work. But who am I to tell them, we're still using AlphaGo agents in an ES/HyperNEAT simulation for pentesting and nobody believes us when we tell people this is the only way to make this work in that problem space.
We are just too uncool for the LLM hypetrain, I guess.
> We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it.
I wish the "free year" stuff was cumulative. I'm still in the 10 year free period as a result of the OPM breach. During that time, I've received several additional free years from the other various data breaches I've been the victim of, but they're useless because I'm already covered.
This hack has been a massive clusterfuck and is responsible for most of my team being canned due to the provider we worked for not having 3/5 of their revenue since February.
United healthcare's stock is up 7 points as of Friday, so the free market has delivered its verdict. Soon companies will hire the hackers for the benefit of the shareholders.
> “I don’t think we’ve had a single provider that hasn’t been helped that’s contacted us.” As part of that help, Mason said, UnitedHealth has sent providers $7 billion so far.
Is that misleading? Or am I not understanding something about how all this works?
Not enough to maintain the entire workforce. Basically they have enough to operate a ghost ship. They're doing their best to retain their doctors while letting off auxiliary forces such as IT. My friend is the last one there and just keeping it afloat the best he can.
I should mention that I don't hold it against them.
Ugh that is terrible. Unfortunately given that United is basically a monopoly I doubt they’ll face any consequences. Meanwhile it’s yet another hit for smaller business and another hit for consumers whose privacy has been violated.
This isn't a privacy hit, its probably the worst outflow of all time considering its sensitivity. If this isn't UnitedHealth's reckoning then I think the US is permanently screwed because it just doesn't know how to work properly anymore.
Someone has to build the lock that requires two people to open. Then, because the company doesn't have the culture to hire three trustworthy people, and because nobody is in a position to enforce quality at any level, the lock gets outsourced and disassembled
Ran into this problem at one company. Boss wanted a secure system. Nobody knew about security but me. Couldn't lock myself out of a system that I had to hold the keys to
Well said...a secure system is treated as an information system where all subsystems should have minimally at least three complimentary controls. It just isn't that hard.
A secure system facing the internet should have the default ports changed...then should someone with a zero day and the exploit posted on Git...casual scanning for the known port will fail.
It's the same principle that spy agencies rely on. A spy agency cannot survive one compromised spy rolling up the entire spy network.
One could reasonably posit that Germany lost WW2 because they used Enigma for important stuff, and when Enigma was compromised, their operations were compromised thru the end of the war. For example, Enigma was the cause of Rommel's defeat in Afrika.
> UnitedHealth likely paid around $22 million in bitcoin to the attackers
$22-million???!!!
I'm guessing they'll recoup through some sort of insurance for this type of thing. But honestly, what insurer would pay out for that? It's like they didn't even try to secure their systems.
I’m fairly sure it was confirmed they don’t have any standalone cyber cover so probably no insurance will be picking up the tab.
I work for a cyber insurer (who are trying to reduce the risk of compromise, alongside transferring some of the risk via insurance) - providing they’ve not been misleading in their application, we take the risk as we find it and can’t just not pay because of poor cyber controls.
There are agency and executive order level rules forbidding insurance from covering/paying out for those types of losses.
Though given the size of involved parties just about anything can be waived (especially with legal threat of an agency losing power over a court striking it down).
Can't say I'm surprised that despite all this security theater, Change Healthcare still fails in many spectactular ways.