Anthem recently refused to allow the Office of Personnel Management’s Office of Inspector General (OIG) to perform an audit of its networks. Coming on the heels of a large breach, there’s been a bit of an uproar about it.
There are a few things to keep in mind, the first being that this isn’t driven by law enforcement–it’s a customer requesting an audit.
When I tell people at work that some companies allow their customers to scan and audit their networks, they look at me like I’m from another planet and ask why anyone would do such a thing. I suggested that if you have a very high degree of confidence in your network, you might offer that in order to get a competitive advantage.
In fact, it wouldn’t surprise me if one of Anthem’s competitors tried to get its game together quickly enough to play that card. Imagine a health insurer saying, “We’re confident enough that our network is more secure than Anthem’s that we’re willing to let you scan it and find out for yourself.” That may give them some leeway elsewhere in their sales pitch.
Explained that way, my colleagues understand.
So now I’ll speak up in Anthem’s defense.
This audit request came at the worst possible time. Anthem is still trying to figure out what happened, whether it’s all completely cleaned up, and what they need to do to keep it from happening again. Perhaps they’ve also started some of that work. Right now, the last thing they need is an OIG audit. It’s a distraction for them right now, and the last thing they need right now is a distraction.
Anthem is putting themselves on trial if they accept the request. Anything the OIG would happen to find would be amplified. Are there a few hundred workstations missing .NET patches? .NET sure likes to break a lot, so such a finding wouldn’t surprise me, but believe me, if the OIG found that, the headlines would scream from the mountaintops how bad Anthem is at applying Microsoft patches–never mind that .NET patches are notoriously difficult to get down properly–and how that probably had something to do with the breach. Every company makes decisions when it comes to threat and vulnerability management–sometimes it’s easier to mitigate than to patch–and in this context, Anthem would be setting itself up to have every one of those decisions second-guessed.
I would have declined the audit too. It’s entirely possible that some of Anthem’s customers will demand the same thing, and perhaps Anthem will lose some business next year if they continue to decline. But Anthem needs to get its house in order first. It’s entirely possible that they aren’t deploying everything right now because they have other work that takes higher priority. Recovery is going to take some time, and important work is worth taking the time required to do it right. Rush jobs can do more harm than good, especially in the security space.
So, while this is bad publicity, and OIG is certainly not cutting Anthem any slack, in this case I don’t blame Anthem.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.