In March 2014, the U.S. Computer Emergency Readiness Team notified the U.S. Office of Personnel Management that its systems had been breached. The attackers eventually made off with the personnel files of at least 4.2 million former and current federal employees, fingerprint data on 5.6 million individuals and files containing information on the background investigations of 21.5 million people.
In a 231-page report released on Sept. 7, the U.S. House of Representatives’ Committee on Oversight and Government Reform spelled out the series of missteps that resulted in the treasure trove of data stolen by digital spies working on behalf of another nation.
“OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity,” the Republican leadership of the House Committee on Oversight and Government Reform stated in a press release.
While acknowledging those missteps, many security experts took exception to the tone of the report and instead argued that the lack of action, which in hindsight seems so obvious, is a current fixture at most companies and organizations.
“It is easy to sit on the sidelines for those who don’t have to deal with the complexities of information security, like a congressional committee, and put out a partisan report with a lot of woulda-shoulda-coulda, and there is a lot of woulda-shoulda-coulda that could go around today with data breaches,” Phillip Dunkelberger, former CEO of PGP and current CEO of Nok Nok Labs, told eWEEK. “The big issue for any company or organization is the balance between usability and security, and we have to take a better look at where we put that.”
The OPM breach will continue to affect the United States for decades. The information stolen included fingerprints, personal identifiable information (PII) and sensitive information that could be used to socially engineer victims or blackmail federal applicants.
“The intelligence and counterintelligence value of the stolen background information for a foreign nation cannot be overstated, nor will it ever be fully known,” the report stated.
Unless businesses can make security a higher priority, they will likely suffer the same uncertainties.
Yet, rather than focus on blaming the OPM for the loss of data, companies should take to heart the obvious lessons from the multiple breaches suffered by the agency.
1. Doing the right thing is not easy.
The House report faults the OPM for only spending $7 million on cyber-security for each of the past three fiscal years, near the bottom of all federal agencies. Yet, the implication that requests for significantly more money would have resulted in the needed funds is a stretch, Paul Vixie, co-founder and CEO of Farsight Security, told eWEEK.
“If you are going to protect that kind of information from nation-state adversaries, you need to be spending an order of magnitude more,” he said. “And you are going to need a whole bunch of ex-military and ex-intelligence people who are part of the executive team and you are going to need to have a strong dose of security in your DNA.”
Companies and government agencies need to realize that security can get expensive quickly and so need to either decide to do the right thing or find some other way to reduce the risk, Vixie said.
“This report makes it sounds like these people could have fixed their problems if they said that they needed help, but I don’t think the federal government would have been willing to pay what would be needed to fix these folks,” he said.
2. Take stock of what data you have.
On May 27, 2014, the OPM technical staff kicked off the “Big Bang,” shutting down compromised systems to clean the attacker’s malware from its network. Attempts by the attackers to load keyloggers onto the systems of database administrators prompted the shutdown, according to the report.
5 Revelations From OPM Data Breach Report
The Office of Personnel Management knew that data—including information about its network and systems—had been taken in the initial breach, but downplayed the severity of the breach, since it did not include PII. That was a mistake, said Nok Nok Labs’ Dunkelberger. Companies have to know the importance of the information residing on their systems.
“You have to look at the data in your environment and figure out what is valuable and what is at risk,” Dunkelberger said. “Otherwise, there is no way to know what to defend.”
3. At the very least, use two-factor authentication.
A key finding of the report was that the OPM did not have two-factor authentication in place before 2015, well after attackers had widely infiltrated its networks and that of at least one third party.
Two-factor authentication—where employees and other users are required to have a one-time passcode generator or, at least, an SMS passcode—is quickly being deployed because simple user names and passwords are no longer enough, especially with cloud services and remote access constituting such a fundamental part of business infrastructure, Dunkelberger said.
“If you go look at the data on what causes data breaches, they are caused by people using easy-to-spoof credentials and easy-to-access credentials,” he said.
4. Third parties continue to pose risks.
The attackers—thought to be from two groups linked to the Chinese government—used credentials from a third party, Keypoint Government Solutions, to gain access to OPM systems. Companies should look to their own third-party partners—such as legal counsel, marketing firms and IT providers—and vet or attest to their security.
“Third parties are increasingly the weak point through which these attackers are gaining access,” Tom Kellermann, CEO of Strategic Cyber Ventures, told eWEEK.
5. Make sure to look inward.
Finally, companies are often too concerned with their perimeters, Kellermann said. The danger with nation-state actors is that they will always find a way in, so organizations need to spot them as they attempt to expand their access and move around the network, he said.
“All of your investments in cyber-security are usually outward facing,” Kellermann said. “You need much more focus on internal operations and anomalies, such as doing penetration tests from the inside out.”
Kellermann also recommends user behavior analytics to spot odd anomalies and deceptive network practices to fool the attackers.
In 2009, the first major nation-state attack against U.S. companies, known as Aurora, happened, resulting in information stolen from nearly three dozen firms. At that time, Nok Nok Labs’ Dunkelberger believed that the nation would respond with better security and a hard line against hacking.
So far that has not happened, he said. He hopes the OPM breach will change the momentum.
“There is a lack of force of will to solving these things, and as long as that is true, we are not going to solve these issues,” he said.