Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/10/2015
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

OPM Breach Exposes Agency's Systemic Security Woes

The massive hack at the Office of Personnel Management showed not just room for improvement but a lack of very basic security fundamentals -- and expertise.

The immediate thoughts from the security community when news broke of the data breach at the Office of Personnel Management (OPM) that exposed personnel files of four million federal workers were that this was yet another sign of the room for improvement in the federal government on the cybersecurity front. But as details continue to emerge about the true state of security at the agency prior to the breach and the plans officials have laid out to prevent such attacks in the future, the problem seems to be much bigger than originally thought. Room for improvement implies at least a baseline level of understanding of security principles -- a state which many security pundits following the story question really exists in the first place.

The situation exposes a "lack of professionalism and knowledge" that is about 20 years behind where the security industry stands, says Pierluigi Stella, CTO of Network Box USA.

"The Inspector General had already told OPM about their material weaknesses but nothing at all was apparently done. There was no IT security staff until 2013. Most of IT was operated by contractors whose contracts were expired," he says. "OPM apparently wasn't sure of what they had in their own network. They could not provide a comprehensive inventory of servers, databases and network devices. Apparently the hackers knew this network better than the people that operated it."

In response to the breach, OPM officials tipped their hand in how penetrable the agency's systems really have been all along. They told the public that since the breach, the agency has made improvements to its network security, including deploying anti-malware technology and restricting remote access for network administrators.

The fact that those table-stakes systems are not already in place at an agency that handles such sensitive human resource data is worrisome enough. But that they're posted as the agency's path forward toward preventing similar breaches is even more troublesome to veterans in the security world. The belief that anti-malware is going to save the agency from breaches in the future belies an understanding of what good security posture looks like in the first place, experts say.

"Judging from the government’s response, the root cause of the problem seems to be a lack of experience in its personnel, not just missing security controls. The information security industry knows a lot about what defense measures are effective and not," says Jeremiah Grossman, founder of WhiteHat Security. "It’s not just about installing anti-virus and thinking you’re done. That seems to be their current level of thinking, which virtually guarantees a similar incident."

Unfortunately, this may be symptomatic of deeper problems across the board and not just at OPM. As Richard Bejtlich explained in a blog earlier today, the "fundamental misunderstanding of the nature" of the federal government's Continuous Diagnostic and Mitigation (CDM) program that has shifted priorities away from actually repelling intruders in favor of focusing on cyber "hygiene" is one such issue. According to him, many have conflated CDM -- which at heart is just a vulnerability management program -- as a way to help find intruders, particularly in light of long delays in the government's Einstein intrusion detection program.

"CDM is either being sold as, or misunderstood as, a way to detect intruders," wrote Bejtlich, chief security strategist for FireEye. "The focus on CDM has meant intruders already present in Federal networks are left to steal and fortify their positions, while scarce IT resources are devoted to patching. The Feds are identifying and locking doors and windows while intruders are inside the house."

And, unfortunately, the fallout from this breach means that attackers are all the more firmly entrenched inside that proverbial house. There's an even more troubling element to this OPM breach, which is the enormous consequence that the exposure of this data set in particular brings to the overall federal government risk posture. The damage has already been done on this front and the data exposed will help attackers not only carry out further cyberattacks, but greatly aid in foreign counterintelligence (CI), says John Schindler, security strategist and author of The XX Committee blog.

As Schindler explains, the most sensitive of data stolen from the OPM was background investigation (BI) material on anyone seeking security clearances.

"Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side  — since all that is recorded in security clearance paperwork."

According to Schindler, the government will feel the consequences of the breach for decades.

"If this sounds like a nightmare scenario for Washington, DC, that’s because it is," he says. "Decades of neglect have gotten us here and it will take decades to get us out of it."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SolielM201
50%
50%
SolielM201,
User Rank: Apprentice
6/17/2015 | 10:47:44 AM
Cut Off
Here's a petition to disconnect select Chinese networks from the Internet, for your signing on the right side if you are in agreement (digitally sign by submitting).  I'm asking for you to let your friends and family of the millions of people affected by compromised data (from OPM, Anthem, Home Depot, Target Corporation...) know of this petition and sign if in agreement.  change.org/p/icann-internet-corporation-for-assigned-names-and-numbers-tell-the-worldwide-internet-maintainers-to-disconnect-select-networks-in-china-from-the-internet-internet-2-0
agusanfear
50%
50%
agusanfear,
User Rank: Apprentice
6/16/2015 | 6:59:51 PM
Re: Decades of neglect...
deploying anti-malware technology and restricting remote access for network administrators?

 

I mean how long does it take for the OPM to understand oblivious security protocols? Someone give OPM a cookie.
macker490
50%
50%
macker490,
User Rank: Ninja
6/15/2015 | 7:11:09 AM
much more serious than Snowden
this breach is MUCH MORE serious than the Edward Snowden affair.
bhanstiu
100%
0%
bhanstiu,
User Rank: Strategist
6/10/2015 | 10:38:34 AM
Decades of neglect...
That one line says everything relevant about the functioning of the US federal government. Very aged infrastructure crumbling, bridges falling apart, 1950's power distribution covering vast sections of the nation, etc. etc., ad nauseum.... but we have billions of dollars to give away, billions for bombs, etc. etc., ad nauseum.... Is anyone really surprised by this situation? We have collectively allowed the US federal government to shirk it's responsibilities in the name of chasing dragons and unicorns, and monitoring all of our communications regardless of relevence to the actual 'busting terrorists' excuses we get all day, every day, all year, decade after decade.

 

From the bad joke that is TSA security theater, to the unpatriot games the NSA is playing, we have been sold a bill of goods, and have not received what we paid for. On all levels.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...