The U.S. government Office of Personnel Management data breach was much larger than previously thought – that every federal employee’s social security number along with other personnel records data (all unencrypted) has been exposed – led to the following reaction from global cybersecurity experts.
Igor Baikalov, Chief Scientist, Securonix (www.securonix.com):
“And yet another breach disclosure. Another shoe drops – and it’s just the shoe that we hear drop. Knowing our government’s urge for full and immediate disclosure, you know there’s a lot more to come out. And if you are a federal employee affected by this breach, you better pray that it was a nation-state behind the attack, and not a simple criminal gang that can empty your accounts and ruin your life using the stolen data.
It’s not just your PII (Personally Identifiable Information) is out there, it’s that side of the story of your life that you’re the least proud of (because that’s exactly what the background investigation aims to unravel), and it’s not just you, but your family, friends and neighbors – that’s the kind of data that’s been lost in the latest breach. Unless we can put the whole population of current, past, and potential federal employees into a witness protection program, we have to seriously reconsider how we do business going forward, and deal with all the potential identity fraud, extortion, and other scam that thrives on the compromised information.”
“While the new reports that hackers stole the personal information of every federal employee might be inconclusive, a good security practice is to assume the worst until proven otherwise (which is unlikely to happen in this case). Does it really make any difference? Does it change what we should or can do about it? No.
More and more officials are pointing fingers to China as the most likely culprit in the attack, but there was no official statement to that regard and it’s naive to expect one. First of all, the U.S. spies for “national security advantages” just like China does – no moral high ground there. Second, and most frustrating, problem is that there’s not much U.S. can do to retaliate for this attack: economic sanctions (a no-brainer in North Korea case) are hardly applicable to the country that holds most of your national debt.”
Philip Lieberman, CEO, Lieberman Software (www.liebsoft.com):
“The OPM breach is a very bad situation with national security consequences. President Obama made a severe and unrecoverable blunder in his personal appointment of the head of the agency that got breached. In his mind he probably conceived of it as nothing more than a garden variety government HR position, not realizing the security knowledge requirements and implications of the position.
I would not be surprised if there is a disclosure that OPM failed on numerous security tests by outside auditors within the government and that the head of OPM failed to take action when informed. The government agencies responsible for internal government security are very competent, but are restricted in what they can do to force those that they audit to correct their deficiencies.”
When the scope of the breach was disclosed to include all federal employees, he said:
“The apparent U.S. Government policy with regard to the protection of commercial enterprises attacked by nation states and others has been benign neglect (perhaps a shoulder to cry on). Current law and government policy forbid commercial enterprises to take any action against the attacker and handle the matter via the rule of law and in the appropriate jurisdiction. Since there has been little to no recourse possible, commercial enterprises have been attacked and damaged with little government assistance. We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that commercial enterprises with no effective defense. Using technologies such as air gaps, segmented networks, encryption, and privileged identity management, can reduce the damage and scope of damage caused by these weapons. So there is no real defense, only the concept of acceptable loss.
On the other hand, the U.S .Government has been clear that an attack on its citizens and systems would result in severe response directed by the government itself (which is well within its power and rights). However, there are two issues to review: first the government agency OPM did not implement appropriate controls in line with the sensitivity of the data it was managing, and did not implement even basic controls to limit the amount of damage to an acceptable loss. Second, there will be an inevitable consequence to the intruder, but unfortunately, a bell cannot be un-rung and even with retribution, the information about the government employees is now out in the wild and in the hands of an entity that could cause a great deal of grief for the entire country.
It is a tragedy that the Executive Branch as well as NIST and NSA have been preaching the gospel of security by design, segmentation of data and control, proper identity management, as well as effective monitoring. Here with OPM we have an agency entrusted with the defense of its government employees ignoring the guidance given by the government as well as failing to implement off-the-shelf technologies that are common to the commercial realm. A fix for the problem was a phone call away to virtually any of the defense contractors in the beltway who have been dealing with these types of attacks for decades.
Unfortunately, this problem now falls on the President as Commander in Chief for an appropriate response. Unfortunately, there is no response that undoes the consequences of the exploit and there is no consequence appropriate to the action taken by this nation state. The President can drop the hammer on entire Federal Government and the legislature can now mandate appropriate changes for the Federal Government to minimize the chance of a repeat of this scenario.
The statements by the Federal unions is a good sign that they too are ready to allow the implementation of appropriate technologies for privileged access and identity management, auditing, and a change in job rules to allow the Federal Government to operate in secure manner appropriate to the threats of this day and age.
At its core, this was not so much a problem of technology, as much as it was a lack of process, systems design, lack of external oversight such as the use of penetration testing and red/blue team war games to check and repair weaknesses, as well as the lack of technology and cyber defense staff to automatically stop the attack and at worst, minimize the consequence.
In every tragedy there is an opportunity to create a better future. As the Commander in Chief, the President will now need to deal with serious threats from the outside and serious weaknesses within his own government. I hope that the legislature backs him as well as the unions to change the government so that there will not be a repeat of this scenario (or at least make future attacks less effective).”
Lane Thames, Security Researcher, Tripwire (www.tripwire.com)
“Organizations that collect and retain data, especially data constituting personally identifiable information (PII), are prime targets for hackers, and the federal government is no exception. The cyber-attack on the Office of Personnel Management (OPM) continues to unfold. For example, the Associated Press and Wired have reported that the breach is possibly much larger than originally estimated.
Successful cyber-attacks against U.S. government entities at both the federal and state levels are not new. According to a database maintained by the Privacy Rights Clearinghouse, 27 breaches were reported by various government entities in 2014. These include targets such as the U.S. Weather System, the U.S. Postal Service, Healthcare.gov, and U.S. Investigations Services. The same database reports 6 successful breaches thus far this year, which includes the OPM breach as well as the breach on the Internal Revenue Service, reported back in May.
Unfortunately, successful data breaches are not going to abate anytime soon. During 2014, there were at least 3 data breaches with outcomes proving to be worse than first estimated. Many organizations discover that breaches are more extensive than they originally thought, and I believe the reason for this is breach laws. Organizations have a finite amount of time to disclose the details of a data breach to its various stakeholders, and organizations are probably communicating based on preliminary forensic analysis. The data forensics required to gain in-depth understanding of a data breach can often take lengthy amounts of time. To be safe, organizations are doing their best to estimate breach damages but, as we can see these estimates can be far from reality.
It is a very challenging problem in a game where we are fighting against highly-incentivized adversaries. As time goes on, we will get better. Hopefully, all of us can learn from these types of cybersecurity mistakes.
In terms of addressing these types of issues, there are a few questions that organizations can ask themselves to better prepare for cyber-attacks:
- What should my organization do when its cyber-resources have been successfully attacked?
- How can we reduce our attack surface in order to minimize the number of successful attacks against the organization?
- How can we minimize the amount of time between a successful attach and our discovery thereof?
The first question revolves around understanding that being successfully attacked is not a question of ‘if’ but ‘when’ as well as understanding how to respond when such an event happens. The lack of an appropriate response can be just as damaging as the cyber-attack itself, if not more.
The second question revolves around ‘continuous process improvement.’ To reduce attack surfaces, organizations must continuously work towards improving the security of their cyber-resources—it is never a one-time thing.
Finally, organizations need to employ appropriate tools for monitoring their cyber-resources—without appropriate monitoring tools, organizations will face significant challenges when trying to respond to successful attacks.”
Brad Taylor, CEO, Proficio (www.proficio.com):
“This is very disturbing news from a national security perspective. This breach underscores the new normal that any organization with valuable data will be persistently attacked. Without the most advanced 24×7 security monitoring it is just a matter of when not if there is a security breach.”
Mark Bower, global director, product management, HP Security Voltage (www.voltage.com):
“What do federal employees have to fear?
A possible scenario is that an organized attack group is building out their own large analytics system containing profiles of people who have relationships to various US Government agencies and related third parties such as contract firms, integrators and suppliers.
Given the stolen data appears to have employment history and other related data, this is the ideal kind of data for attackers to attempt very targeted attacks on specific individuals to bypass traditional perimeter defense to access deeper systems with sensitive data. This might include email systems, sensitive databases, or even more contemporary government analytic systems such as Hadoop or large data warehouses.
Once past the perimeter, malware can be remotely controlled, find and leak data resulting in damage, theft, and manipulation as industry has witnessed time and again. Some independent security researchers have recently linked the attackers here to the Anthem breach of over 80 million people* (see citation below), so there is a strong likelihood attackers are building out their own analytic tools to create focused attacks. As large providers like Anthem no may be providers of healthcare services to contractors to the US Government, a database of 80 million people provides another route for personal spear-phishing. We’ve seen the development of “malware-as-service” in recent years, so this vast data gathering via attacks like this could also enable an “attack analytics as a service” strategy the perpetrators are using for themselves or for other crime groups to utilize. Tools like Hadoop can provide powerful insight for enterprises and government, but can also be used for more nefarious purposes too, just as with any powerful software.
One of the most common ways to penetrate a system is to exploit exposed vulnerabilities if the IT systems are known (for example, an unpatched Internet facing application still vulnerable to “shellshock”attacks), social engineering and spear-phishing or to attack related third party entities to gather enough data to then penetrate a data target of interest. This is how breaches often take place in the private sector. For example, the Target breach was via a third party HVAC contractor that happened to have files with passwords which enabled perimeter bypass, for example, and other government agencies have suffered prior attacks on a similar basis.
So, an attacker building out its own big data framework which can cross reference staff, personal relationships, agency employment history, third party social business networks that may have employee resumes which list systems the staff has experience with gives an attacker the ability to run their own analytics to potentially focus on individuals for social engineering or spear phishing.
If the attackers are indeed criminals, then credit card and identity fraud risks are possible outcomes, but if this is about building out large scale tool to allow more focused attacks, individuals who are victims in this breach should be vigilant about unexpected emails, phone calls leading them to suspect web sites which may install malware, or social engineering attempts to get access to credentials or other data. They may also want to consider a security freeze on their accounts with the consumer credit bureau’s to prevent their personal data being used to open lines of credit or other types of financial fraud. The OPM has already provided some basic guidance visit HERE.
With respect to agencies mitigating the impact of such attacks, today contemporary data-centric security, advanced system and user behavior monitoring, and data de-identification technologies need to be considered to neutralize breaches from yielding sensitive data. The leaders in the private sector have already embraced these strategies, especially in vulnerable ecosystems such as payment data flows, but the same technologies apply well to other industries to essentially remove the value from data while keeping it useful for business purposes, analytics, and applications. Attackers will always get in – but if they get nothing of value they will move onto other more vulnerable targets.”