Vulnerabilities / Threats
6/10/2015
08:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

OPM Breach Exposes Agency's Systemic Security Woes

The massive hack at the Office of Personnel Management showed not just room for improvement but a lack of very basic security fundamentals -- and expertise.

The immediate thoughts from the security community when news broke of the data breach at the Office of Personnel Management (OPM) that exposed personnel files of four million federal workers were that this was yet another sign of the room for improvement in the federal government on the cybersecurity front. But as details continue to emerge about the true state of security at the agency prior to the breach and the plans officials have laid out to prevent such attacks in the future, the problem seems to be much bigger than originally thought. Room for improvement implies at least a baseline level of understanding of security principles -- a state which many security pundits following the story question really exists in the first place.

The situation exposes a "lack of professionalism and knowledge" that is about 20 years behind where the security industry stands, says Pierluigi Stella, CTO of Network Box USA.

"The Inspector General had already told OPM about their material weaknesses but nothing at all was apparently done. There was no IT security staff until 2013. Most of IT was operated by contractors whose contracts were expired," he says. "OPM apparently wasn't sure of what they had in their own network. They could not provide a comprehensive inventory of servers, databases and network devices. Apparently the hackers knew this network better than the people that operated it."

In response to the breach, OPM officials tipped their hand in how penetrable the agency's systems really have been all along. They told the public that since the breach, the agency has made improvements to its network security, including deploying anti-malware technology and restricting remote access for network administrators.

The fact that those table-stakes systems are not already in place at an agency that handles such sensitive human resource data is worrisome enough. But that they're posted as the agency's path forward toward preventing similar breaches is even more troublesome to veterans in the security world. The belief that anti-malware is going to save the agency from breaches in the future belies an understanding of what good security posture looks like in the first place, experts say.

"Judging from the government’s response, the root cause of the problem seems to be a lack of experience in its personnel, not just missing security controls. The information security industry knows a lot about what defense measures are effective and not," says Jeremiah Grossman, founder of WhiteHat Security. "It’s not just about installing anti-virus and thinking you’re done. That seems to be their current level of thinking, which virtually guarantees a similar incident."

Unfortunately, this may be symptomatic of deeper problems across the board and not just at OPM. As Richard Bejtlich explained in a blog earlier today, the "fundamental misunderstanding of the nature" of the federal government's Continuous Diagnostic and Mitigation (CDM) program that has shifted priorities away from actually repelling intruders in favor of focusing on cyber "hygiene" is one such issue. According to him, many have conflated CDM -- which at heart is just a vulnerability management program -- as a way to help find intruders, particularly in light of long delays in the government's Einstein intrusion detection program.

"CDM is either being sold as, or misunderstood as, a way to detect intruders," wrote Bejtlich, chief security strategist for FireEye. "The focus on CDM has meant intruders already present in Federal networks are left to steal and fortify their positions, while scarce IT resources are devoted to patching. The Feds are identifying and locking doors and windows while intruders are inside the house."

And, unfortunately, the fallout from this breach means that attackers are all the more firmly entrenched inside that proverbial house. There's an even more troubling element to this OPM breach, which is the enormous consequence that the exposure of this data set in particular brings to the overall federal government risk posture. The damage has already been done on this front and the data exposed will help attackers not only carry out further cyberattacks, but greatly aid in foreign counterintelligence (CI), says John Schindler, security strategist and author of The XX Committee blog.

As Schindler explains, the most sensitive of data stolen from the OPM was background investigation (BI) material on anyone seeking security clearances.

"Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side  — since all that is recorded in security clearance paperwork."

According to Schindler, the government will feel the consequences of the breach for decades.

"If this sounds like a nightmare scenario for Washington, DC, that’s because it is," he says. "Decades of neglect have gotten us here and it will take decades to get us out of it."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SolielM201
50%
50%
SolielM201,
User Rank: Apprentice
6/17/2015 | 10:47:44 AM
Cut Off
Here's a petition to disconnect select Chinese networks from the Internet, for your signing on the right side if you are in agreement (digitally sign by submitting).  I'm asking for you to let your friends and family of the millions of people affected by compromised data (from OPM, Anthem, Home Depot, Target Corporation...) know of this petition and sign if in agreement.  change.org/p/icann-internet-corporation-for-assigned-names-and-numbers-tell-the-worldwide-internet-maintainers-to-disconnect-select-networks-in-china-from-the-internet-internet-2-0
agusanfear
50%
50%
agusanfear,
User Rank: Apprentice
6/16/2015 | 6:59:51 PM
Re: Decades of neglect...
deploying anti-malware technology and restricting remote access for network administrators?

 

I mean how long does it take for the OPM to understand oblivious security protocols? Someone give OPM a cookie.
macker490
50%
50%
macker490,
User Rank: Ninja
6/15/2015 | 7:11:09 AM
much more serious than Snowden
this breach is MUCH MORE serious than the Edward Snowden affair.
bhanstiu
100%
0%
bhanstiu,
User Rank: Strategist
6/10/2015 | 10:38:34 AM
Decades of neglect...
That one line says everything relevant about the functioning of the US federal government. Very aged infrastructure crumbling, bridges falling apart, 1950's power distribution covering vast sections of the nation, etc. etc., ad nauseum.... but we have billions of dollars to give away, billions for bombs, etc. etc., ad nauseum.... Is anyone really surprised by this situation? We have collectively allowed the US federal government to shirk it's responsibilities in the name of chasing dragons and unicorns, and monitoring all of our communications regardless of relevence to the actual 'busting terrorists' excuses we get all day, every day, all year, decade after decade.

 

From the bad joke that is TSA security theater, to the unpatriot games the NSA is playing, we have been sold a bill of goods, and have not received what we paid for. On all levels.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.