Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Huge Federal Data Breach a Prelude to Even More Dangerous Exploits

    By
    Wayne Rash
    -
    June 6, 2015
    Share
    Facebook
    Twitter
    Linkedin
      China Hack Threat 2

      In one sense, the breach of some 4 million personnel records from the Office of Personnel Management earlier this year probably isn’t going to put the financial information of a lot of federal employees at risk. That’s the good news.

      But the rest of the news is very bad. With a few exceptions, essentially every federal employee, especially those with high security clearances, is going to have to be looking over their shoulders for the rest of their lives.

      The level of detail in that stolen data includes everything from background investigations to personal data about families and spouses, summer jobs and former home addresses. It is, quite frankly, a phisher’s paradise.

      But it’s worse than even that. Federal officials assert that this is a nation-state cyber-attack carried out by China or its hacker proxies. If that’s the case, then it’s quite possible that Chinese intelligence agencies could mine the data via big data analysis to gather personal details to create believable and verifiable backgrounds for inserting spies into the U.S.

      By tying together the personnel information, it should also be possible to use data analysis to develop lists of passwords and security answers to government systems as well as private systems.

      But the threat doesn’t even end there. By tying the federal personnel records to the records stolen during the Anthem health insurance breach from a few months ago, those federal employees are now open to compromise and even blackmail. Anthem, as you may recall, is a major provider of health insurance for federal employees, including workers at agencies such as the CIA and the National Security Agency.

      “They’re seeing who government employees are,” said Jerry Ferguson, a partner at Baker Hostetler’s privacy and data protection team. “They’re not doing that to file fake tax returns or steal credit cards. They’re trying to identify who key people are, so that if there were going to be a more serious attack, they could be cut off from the communications networks they participate in.

      “This is a preliminary step toward other activity,” Ferguson said. “I think we’re seeing reconnaissance.” He said that he’s also seeing hackers break into industrial control systems, but only gathering information rather than changing anything, and then trying to hide their tracks. “It’s not going to stop there.”

      “Now that they have access, they’re going to try phishing and social engineering,” said Saryu Nayyar, CEO of Curucul, a security identity analytics company. “They’re going to try to get access to sensitive data.” She added that because some of the personnel records the hackers got are for employees with high security clearances, some of them may have the authority to create identities for people with access to classified data.

      On the other hand, it may be too early to be sure exactly what’s going to happen to the data that was taken from OPM. “Don’t leap to the conclusion that it’s the Chinese government,” former cyber-security czar Richard Clarke said.

      Huge Federal Data Breach a Prelude to Even More Dangerous Exploits

      Clarke said that while the breach has been traced to China, that doesn’t mean it was necessarily the Chinese government. He said that there’s a difference between what data they managed to access and what they took.

      “I haven’t talked to anyone who said that they took any security clearance information,” Clarke said. He added that all we’ll know for sure until a thorough forensic analysis is complete is that they got some personally identifiable information.

      Jean Taggart, senior security researcher at Malwarebytes, agrees. “Because of the data that was breached, everyone is pointing to possible involvement by nation-states,” he says. But unless the U.S. government says that was the case, it’s just not possible to make that assumption. In addition, Taggart wonders how anyone could have exfiltrated 4 million dossiers without anyone noticing, considering the bandwidth utilization.

      While OPM has promised credit monitoring and identity theft protection for the affected employees, the reality is that those are the least of their worries. Instead, those federal employees will have to be on guard against social engineering attacks the likes of which they’ve never seen before.

      The attackers will have the information they need to look like anyone in a person’s present or past. They will be able to weave convincing stories, some so good that the temptation to click on a link will be nearly irresistible.

      In fact, this breach may result in some drastic measures on the part of federal IT managers, such as deactivating all embedded links in email so that they cannot be clicked on. But there is a lot more to phishing than just clicking on email links.

      Because the stolen information includes addresses and phone numbers, these same employees will be subject to phishing phone calls and even fraudulent mail. These employees could be besieged by an unending flood of attacks from a number of sources.

      And unfortunately, all it takes is one mistake by one employee to open the gates to even greater data theft. Clearly, the level of security needs to get higher, and it needs some fundamental change.

      The whole idea that you can keep people out of a government-owned network is clearly false, but what needs to be done goes beyond perimeter defenses anyway. Now it’s time to view the whole network and watch for anomalous behavior.

      The idea that you can protect the network itself is clearly wrong. As Clarke has said repeatedly, the bad guys are going to get in, so the best you can hope for is keeping them from getting anything that’s important.

      Clarke suggests that one important change would be to stop using Social Security numbers as a basis for identification. “They have to stop,” he said. “They have to come up with some other method.” Meanwhile, Clarke wonders why OPM didn’t encrypt the data to make it useless if it was taken. “Why can’t you pass a law that you can only store in an encrypted database?”

      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a freelance writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×