Vulnerabilities / Threats
6/10/2015
08:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

OPM Breach Exposes Agency's Systemic Security Woes

The massive hack at the Office of Personnel Management showed not just room for improvement but a lack of very basic security fundamentals -- and expertise.

The immediate thoughts from the security community when news broke of the data breach at the Office of Personnel Management (OPM) that exposed personnel files of four million federal workers were that this was yet another sign of the room for improvement in the federal government on the cybersecurity front. But as details continue to emerge about the true state of security at the agency prior to the breach and the plans officials have laid out to prevent such attacks in the future, the problem seems to be much bigger than originally thought. Room for improvement implies at least a baseline level of understanding of security principles -- a state which many security pundits following the story question really exists in the first place.

The situation exposes a "lack of professionalism and knowledge" that is about 20 years behind where the security industry stands, says Pierluigi Stella, CTO of Network Box USA.

"The Inspector General had already told OPM about their material weaknesses but nothing at all was apparently done. There was no IT security staff until 2013. Most of IT was operated by contractors whose contracts were expired," he says. "OPM apparently wasn't sure of what they had in their own network. They could not provide a comprehensive inventory of servers, databases and network devices. Apparently the hackers knew this network better than the people that operated it."

In response to the breach, OPM officials tipped their hand in how penetrable the agency's systems really have been all along. They told the public that since the breach, the agency has made improvements to its network security, including deploying anti-malware technology and restricting remote access for network administrators.

The fact that those table-stakes systems are not already in place at an agency that handles such sensitive human resource data is worrisome enough. But that they're posted as the agency's path forward toward preventing similar breaches is even more troublesome to veterans in the security world. The belief that anti-malware is going to save the agency from breaches in the future belies an understanding of what good security posture looks like in the first place, experts say.

"Judging from the government’s response, the root cause of the problem seems to be a lack of experience in its personnel, not just missing security controls. The information security industry knows a lot about what defense measures are effective and not," says Jeremiah Grossman, founder of WhiteHat Security. "It’s not just about installing anti-virus and thinking you’re done. That seems to be their current level of thinking, which virtually guarantees a similar incident."

Unfortunately, this may be symptomatic of deeper problems across the board and not just at OPM. As Richard Bejtlich explained in a blog earlier today, the "fundamental misunderstanding of the nature" of the federal government's Continuous Diagnostic and Mitigation (CDM) program that has shifted priorities away from actually repelling intruders in favor of focusing on cyber "hygiene" is one such issue. According to him, many have conflated CDM -- which at heart is just a vulnerability management program -- as a way to help find intruders, particularly in light of long delays in the government's Einstein intrusion detection program.

"CDM is either being sold as, or misunderstood as, a way to detect intruders," wrote Bejtlich, chief security strategist for FireEye. "The focus on CDM has meant intruders already present in Federal networks are left to steal and fortify their positions, while scarce IT resources are devoted to patching. The Feds are identifying and locking doors and windows while intruders are inside the house."

And, unfortunately, the fallout from this breach means that attackers are all the more firmly entrenched inside that proverbial house. There's an even more troubling element to this OPM breach, which is the enormous consequence that the exposure of this data set in particular brings to the overall federal government risk posture. The damage has already been done on this front and the data exposed will help attackers not only carry out further cyberattacks, but greatly aid in foreign counterintelligence (CI), says John Schindler, security strategist and author of The XX Committee blog.

As Schindler explains, the most sensitive of data stolen from the OPM was background investigation (BI) material on anyone seeking security clearances.

"Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side  — since all that is recorded in security clearance paperwork."

According to Schindler, the government will feel the consequences of the breach for decades.

"If this sounds like a nightmare scenario for Washington, DC, that’s because it is," he says. "Decades of neglect have gotten us here and it will take decades to get us out of it."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SolielM201
50%
50%
SolielM201,
User Rank: Apprentice
6/17/2015 | 10:47:44 AM
Cut Off
Here's a petition to disconnect select Chinese networks from the Internet, for your signing on the right side if you are in agreement (digitally sign by submitting).  I'm asking for you to let your friends and family of the millions of people affected by compromised data (from OPM, Anthem, Home Depot, Target Corporation...) know of this petition and sign if in agreement.  change.org/p/icann-internet-corporation-for-assigned-names-and-numbers-tell-the-worldwide-internet-maintainers-to-disconnect-select-networks-in-china-from-the-internet-internet-2-0
agusanfear
50%
50%
agusanfear,
User Rank: Apprentice
6/16/2015 | 6:59:51 PM
Re: Decades of neglect...
deploying anti-malware technology and restricting remote access for network administrators?

 

I mean how long does it take for the OPM to understand oblivious security protocols? Someone give OPM a cookie.
macker490
50%
50%
macker490,
User Rank: Ninja
6/15/2015 | 7:11:09 AM
much more serious than Snowden
this breach is MUCH MORE serious than the Edward Snowden affair.
bhanstiu
100%
0%
bhanstiu,
User Rank: Strategist
6/10/2015 | 10:38:34 AM
Decades of neglect...
That one line says everything relevant about the functioning of the US federal government. Very aged infrastructure crumbling, bridges falling apart, 1950's power distribution covering vast sections of the nation, etc. etc., ad nauseum.... but we have billions of dollars to give away, billions for bombs, etc. etc., ad nauseum.... Is anyone really surprised by this situation? We have collectively allowed the US federal government to shirk it's responsibilities in the name of chasing dragons and unicorns, and monitoring all of our communications regardless of relevence to the actual 'busting terrorists' excuses we get all day, every day, all year, decade after decade.

 

From the bad joke that is TSA security theater, to the unpatriot games the NSA is playing, we have been sold a bill of goods, and have not received what we paid for. On all levels.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.