Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
OPM Breach Scope Widens, Employee Group Blasts Agency For Not Encrypting Data
Newest First  |  Oldest First  |  Threaded View
Gallavin
100%
0%
Gallavin,
User Rank: Apprentice
6/19/2015 | 11:05:14 AM
Re: Encryption is NOT a panacea
Your firewalls don't matter if you allow "root" access to people. Encryption doesn't matter , nothing matters. Privielged access controls were totally absent here...which given the nature of the information and the fact it was thrid partied out to a NON US firm , is frankly, mindboggling. 

I find it distrurbing the amount of data breaches lately and the lack of understanding on HOW the real damage is caused.

Here is a fact to chew on...

100% of all advanced attacks exploit privileged credentials. In this case however, they didn't even have to exploit them because they were given full authorization to access anything they wanted from the get go.

Hello!?!?!? Anyone over at the OPM ever hear of "least privlieged" access policies! Geez.

Scarier yet , even though most in the business would say it's ill advised to offer such carte blanc access to any administrator in the private sector, giving root access to admin's is still quite common in all industries , from small businesses to large mulkti national corporations. 

Ask Sony Pictures, Athem, Premera, and Target. 
RayM227
100%
0%
RayM227,
User Rank: Apprentice
6/16/2015 | 11:31:32 PM
Re: Encryption is NOT a panacea
I'd like to know what route the attackers took into the OPM network(s), if firewall rules were in place that should have prevented or slowed their access, and how the account and password information was obtained. Was it an administrative direct database access, or access to a front end application? I think it's important for other IT professionals to know this.
aws0513
100%
0%
aws0513,
User Rank: Ninja
6/15/2015 | 2:44:27 PM
Encryption is NOT a panacea
This compromise was not caused by lack of data encryption practices.  Even if true, data encryption would not have stopped this.

This compromise was conducted using resource accesses that had the necessary credentials and keys to view encrypted data.

The people yelling about encryption shortfalls may have legitimate claims about data-at-rest (DAR) issues, but are coming across as clueless to the real causes for breaches of this magnatude: compromise of data using accesses that have been provided by the system.

I agree, especially on notebook and mobile device platforms, that encryption of data is a good practice if done correctly.  But data encryption is not and will never be a protection against the compromised user account (with access rights) scenario.


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3318
PUBLISHED: 2021-01-27
attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.
CVE-2020-5427
PUBLISHED: 2021-01-27
In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.
CVE-2020-5428
PUBLISHED: 2021-01-27
In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer.
CVE-2021-20357
PUBLISHED: 2021-01-27
IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194963.
CVE-2020-4865
PUBLISHED: 2021-01-27
IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190741.