Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    5 Revelations From OPM Data Breach Report

    Written by

    Robert Lemos
    Published September 16, 2016
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      In March 2014, the U.S. Computer Emergency Readiness Team notified the U.S. Office of Personnel Management that its systems had been breached. The attackers eventually made off with the personnel files of at least 4.2 million former and current federal employees, fingerprint data on 5.6 million individuals and files containing information on the background investigations of 21.5 million people.

      In a 231-page report released on Sept. 7, the U.S. House of Representatives’ Committee on Oversight and Government Reform spelled out the series of missteps that resulted in the treasure trove of data stolen by digital spies working on behalf of another nation.

      “OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity,” the Republican leadership of the House Committee on Oversight and Government Reform stated in a press release.

      While acknowledging those missteps, many security experts took exception to the tone of the report and instead argued that the lack of action, which in hindsight seems so obvious, is a current fixture at most companies and organizations.

      “It is easy to sit on the sidelines for those who don’t have to deal with the complexities of information security, like a congressional committee, and put out a partisan report with a lot of woulda-shoulda-coulda, and there is a lot of woulda-shoulda-coulda that could go around today with data breaches,” Phillip Dunkelberger, former CEO of PGP and current CEO of Nok Nok Labs, told eWEEK. “The big issue for any company or organization is the balance between usability and security, and we have to take a better look at where we put that.”

      The OPM breach will continue to affect the United States for decades. The information stolen included fingerprints, personal identifiable information (PII) and sensitive information that could be used to socially engineer victims or blackmail federal applicants.

      “The intelligence and counterintelligence value of the stolen background information for a foreign nation cannot be overstated, nor will it ever be fully known,” the report stated.

      Unless businesses can make security a higher priority, they will likely suffer the same uncertainties.

      Yet, rather than focus on blaming the OPM for the loss of data, companies should take to heart the obvious lessons from the multiple breaches suffered by the agency.

      1. Doing the right thing is not easy.

      The House report faults the OPM for only spending $7 million on cyber-security for each of the past three fiscal years, near the bottom of all federal agencies. Yet, the implication that requests for significantly more money would have resulted in the needed funds is a stretch, Paul Vixie, co-founder and CEO of Farsight Security, told eWEEK.

      “If you are going to protect that kind of information from nation-state adversaries, you need to be spending an order of magnitude more,” he said. “And you are going to need a whole bunch of ex-military and ex-intelligence people who are part of the executive team and you are going to need to have a strong dose of security in your DNA.”

      Companies and government agencies need to realize that security can get expensive quickly and so need to either decide to do the right thing or find some other way to reduce the risk, Vixie said.

      “This report makes it sounds like these people could have fixed their problems if they said that they needed help, but I don’t think the federal government would have been willing to pay what would be needed to fix these folks,” he said.

      2. Take stock of what data you have.

      On May 27, 2014, the OPM technical staff kicked off the “Big Bang,” shutting down compromised systems to clean the attacker’s malware from its network. Attempts by the attackers to load keyloggers onto the systems of database administrators prompted the shutdown, according to the report.

      5 Revelations From OPM Data Breach Report

      The Office of Personnel Management knew that data—including information about its network and systems—had been taken in the initial breach, but downplayed the severity of the breach, since it did not include PII. That was a mistake, said Nok Nok Labs’ Dunkelberger. Companies have to know the importance of the information residing on their systems.

      “You have to look at the data in your environment and figure out what is valuable and what is at risk,” Dunkelberger said. “Otherwise, there is no way to know what to defend.”

      3. At the very least, use two-factor authentication.

      A key finding of the report was that the OPM did not have two-factor authentication in place before 2015, well after attackers had widely infiltrated its networks and that of at least one third party.

      Two-factor authentication—where employees and other users are required to have a one-time passcode generator or, at least, an SMS passcode—is quickly being deployed because simple user names and passwords are no longer enough, especially with cloud services and remote access constituting such a fundamental part of business infrastructure, Dunkelberger said.

      “If you go look at the data on what causes data breaches, they are caused by people using easy-to-spoof credentials and easy-to-access credentials,” he said.

      4. Third parties continue to pose risks.

      The attackers—thought to be from two groups linked to the Chinese government—used credentials from a third party, Keypoint Government Solutions, to gain access to OPM systems. Companies should look to their own third-party partners—such as legal counsel, marketing firms and IT providers—and vet or attest to their security.

      “Third parties are increasingly the weak point through which these attackers are gaining access,” Tom Kellermann, CEO of Strategic Cyber Ventures, told eWEEK.

      5. Make sure to look inward.

      Finally, companies are often too concerned with their perimeters, Kellermann said. The danger with nation-state actors is that they will always find a way in, so organizations need to spot them as they attempt to expand their access and move around the network, he said.

      “All of your investments in cyber-security are usually outward facing,” Kellermann said. “You need much more focus on internal operations and anomalies, such as doing penetration tests from the inside out.”

      Kellermann also recommends user behavior analytics to spot odd anomalies and deceptive network practices to fool the attackers.

      In 2009, the first major nation-state attack against U.S. companies, known as Aurora, happened, resulting in information stolen from nearly three dozen firms. At that time, Nok Nok Labs’ Dunkelberger believed that the nation would respond with better security and a hard line against hacking.

      So far that has not happened, he said. He hopes the OPM breach will change the momentum.

      “There is a lack of force of will to solving these things, and as long as that is true, we are not going to solve these issues,” he said.

      Robert Lemos
      Robert Lemos
      Robert Lemos is an award-winning journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×