5 Revelations From OPM Data Breach Report
The Office of Personnel Management knew that data—including information about its network and systems—had been taken in the initial breach, but downplayed the severity of the breach, since it did not include PII. That was a mistake, said Nok Nok Labs' Dunkelberger. Companies have to know the importance of the information residing on their systems. "You have to look at the data in your environment and figure out what is valuable and what is at risk," Dunkelberger said. "Otherwise, there is no way to know what to defend." 3. At the very least, use two-factor authentication. A key finding of the report was that the OPM did not have two-factor authentication in place before 2015, well after attackers had widely infiltrated its networks and that of at least one third party."If you go look at the data on what causes data breaches, they are caused by people using easy-to-spoof credentials and easy-to-access credentials," he said. 4. Third parties continue to pose risks. The attackers—thought to be from two groups linked to the Chinese government—used credentials from a third party, Keypoint Government Solutions, to gain access to OPM systems. Companies should look to their own third-party partners—such as legal counsel, marketing firms and IT providers—and vet or attest to their security. "Third parties are increasingly the weak point through which these attackers are gaining access," Tom Kellermann, CEO of Strategic Cyber Ventures, told eWEEK. 5. Make sure to look inward. Finally, companies are often too concerned with their perimeters, Kellermann said. The danger with nation-state actors is that they will always find a way in, so organizations need to spot them as they attempt to expand their access and move around the network, he said. "All of your investments in cyber-security are usually outward facing," Kellermann said. "You need much more focus on internal operations and anomalies, such as doing penetration tests from the inside out." Kellermann also recommends user behavior analytics to spot odd anomalies and deceptive network practices to fool the attackers. In 2009, the first major nation-state attack against U.S. companies, known as Aurora, happened, resulting in information stolen from nearly three dozen firms. At that time, Nok Nok Labs' Dunkelberger believed that the nation would respond with better security and a hard line against hacking. So far that has not happened, he said. He hopes the OPM breach will change the momentum. "There is a lack of force of will to solving these things, and as long as that is true, we are not going to solve these issues," he said.
Two-factor authentication—where employees and other users are required to have a one-time passcode generator or, at least, an SMS passcode—is quickly being deployed because simple user names and passwords are no longer enough, especially with cloud services and remote access constituting such a fundamental part of business infrastructure, Dunkelberger said.