Vulnerabilities / Threats
08:00 AM
Connect Directly

OPM Breach Exposes Agency's Systemic Security Woes

The massive hack at the Office of Personnel Management showed not just room for improvement but a lack of very basic security fundamentals -- and expertise.

The immediate thoughts from the security community when news broke of the data breach at the Office of Personnel Management (OPM) that exposed personnel files of four million federal workers were that this was yet another sign of the room for improvement in the federal government on the cybersecurity front. But as details continue to emerge about the true state of security at the agency prior to the breach and the plans officials have laid out to prevent such attacks in the future, the problem seems to be much bigger than originally thought. Room for improvement implies at least a baseline level of understanding of security principles -- a state which many security pundits following the story question really exists in the first place.

The situation exposes a "lack of professionalism and knowledge" that is about 20 years behind where the security industry stands, says Pierluigi Stella, CTO of Network Box USA.

"The Inspector General had already told OPM about their material weaknesses but nothing at all was apparently done. There was no IT security staff until 2013. Most of IT was operated by contractors whose contracts were expired," he says. "OPM apparently wasn't sure of what they had in their own network. They could not provide a comprehensive inventory of servers, databases and network devices. Apparently the hackers knew this network better than the people that operated it."

In response to the breach, OPM officials tipped their hand in how penetrable the agency's systems really have been all along. They told the public that since the breach, the agency has made improvements to its network security, including deploying anti-malware technology and restricting remote access for network administrators.

The fact that those table-stakes systems are not already in place at an agency that handles such sensitive human resource data is worrisome enough. But that they're posted as the agency's path forward toward preventing similar breaches is even more troublesome to veterans in the security world. The belief that anti-malware is going to save the agency from breaches in the future belies an understanding of what good security posture looks like in the first place, experts say.

"Judging from the government’s response, the root cause of the problem seems to be a lack of experience in its personnel, not just missing security controls. The information security industry knows a lot about what defense measures are effective and not," says Jeremiah Grossman, founder of WhiteHat Security. "It’s not just about installing anti-virus and thinking you’re done. That seems to be their current level of thinking, which virtually guarantees a similar incident."

Unfortunately, this may be symptomatic of deeper problems across the board and not just at OPM. As Richard Bejtlich explained in a blog earlier today, the "fundamental misunderstanding of the nature" of the federal government's Continuous Diagnostic and Mitigation (CDM) program that has shifted priorities away from actually repelling intruders in favor of focusing on cyber "hygiene" is one such issue. According to him, many have conflated CDM -- which at heart is just a vulnerability management program -- as a way to help find intruders, particularly in light of long delays in the government's Einstein intrusion detection program.

"CDM is either being sold as, or misunderstood as, a way to detect intruders," wrote Bejtlich, chief security strategist for FireEye. "The focus on CDM has meant intruders already present in Federal networks are left to steal and fortify their positions, while scarce IT resources are devoted to patching. The Feds are identifying and locking doors and windows while intruders are inside the house."

And, unfortunately, the fallout from this breach means that attackers are all the more firmly entrenched inside that proverbial house. There's an even more troubling element to this OPM breach, which is the enormous consequence that the exposure of this data set in particular brings to the overall federal government risk posture. The damage has already been done on this front and the data exposed will help attackers not only carry out further cyberattacks, but greatly aid in foreign counterintelligence (CI), says John Schindler, security strategist and author of The XX Committee blog.

As Schindler explains, the most sensitive of data stolen from the OPM was background investigation (BI) material on anyone seeking security clearances.

"Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side  — since all that is recorded in security clearance paperwork."

According to Schindler, the government will feel the consequences of the breach for decades.

"If this sounds like a nightmare scenario for Washington, DC, that’s because it is," he says. "Decades of neglect have gotten us here and it will take decades to get us out of it."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/17/2015 | 10:47:44 AM
Cut Off
Here's a petition to disconnect select Chinese networks from the Internet, for your signing on the right side if you are in agreement (digitally sign by submitting).  I'm asking for you to let your friends and family of the millions of people affected by compromised data (from OPM, Anthem, Home Depot, Target Corporation...) know of this petition and sign if in agreement.
User Rank: Apprentice
6/16/2015 | 6:59:51 PM
Re: Decades of neglect...
deploying anti-malware technology and restricting remote access for network administrators?


I mean how long does it take for the OPM to understand oblivious security protocols? Someone give OPM a cookie.
User Rank: Ninja
6/15/2015 | 7:11:09 AM
much more serious than Snowden
this breach is MUCH MORE serious than the Edward Snowden affair.
User Rank: Strategist
6/10/2015 | 10:38:34 AM
Decades of neglect...
That one line says everything relevant about the functioning of the US federal government. Very aged infrastructure crumbling, bridges falling apart, 1950's power distribution covering vast sections of the nation, etc. etc., ad nauseum.... but we have billions of dollars to give away, billions for bombs, etc. etc., ad nauseum.... Is anyone really surprised by this situation? We have collectively allowed the US federal government to shirk it's responsibilities in the name of chasing dragons and unicorns, and monitoring all of our communications regardless of relevence to the actual 'busting terrorists' excuses we get all day, every day, all year, decade after decade.


From the bad joke that is TSA security theater, to the unpatriot games the NSA is playing, we have been sold a bill of goods, and have not received what we paid for. On all levels.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.