Written by Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver
Cyber attacks, credited to the Chinese federal government, had breached sensitive personnel databases and stolen data of over 22 million current, former, and potential U.S. civil servants and members of their family. Stern cautions were ignored from the Office of the Inspector General (OIG) to shut down systems without existing security authorization.
Presciently, the OIG particularly warned that failure to close down the unauthorized systems carried nationwide security ramifications. Like the captain of the Titanic who kept flank speed through an iceberg field, the OPM reacted,
” We agree that it is very important to keep current and valid ATO’s for all systems but do not think that this condition rises to the level of a Material Weak point.”
In addition the OPM stressed that closing down those systems would mean a lapse in retirement and worker benefits and paychecks. Offered an option in between a security lapse and a functional lapse, the OPM chose to operate insecurely and were pwned.
Then director, Katherine Archuleta, resigned her office in July 2015, a day after exposing that the scope of the breach greatly went beyond initial assessments.
Regardless of this high worth info preserved by OPM, the agency failed to focus on cyber security and adequately safe high value data.
Exactly what are the Lessons for CISO’s?
Rational CISO’s will want to avoid professional immolation in a huge flaming data breach disaster, so let’s quickly evaluate the key lessons from the Congressional report executive summary.
Prioritize Cybersecurity Commensurate with Asset Value
Have an efficient organizational management structure to carry out risk appropriate IT security policies. Chronic lack of compliance with security best practices and lagging recommendation implementation timelines are indications of organizational failure and administrative atherosclerosis. Shake up the company or make preparations for your post-breach panel grilling before the inquisitors.
Don’t Tolerate a Complacent State of Info Security
Have the essential tracking in place to keep crucial situational awareness, leave no visibility gaps. Don’t fail to understand the scope or extent or gravity of cyber attack indications. Assume if you identify attack indicators, there are other indications you are missing out on. While OPM was forensically monitoring one attack avenue, another parallel attack went unobserved. When OPM did act the assailants understood which attack had been discovered and which attack was still successful, rather valuable intelligence to the cyber attacker.
Mandate Basic Required Security Tools and Quickly Deploy Cutting-Edge Security Tools
OPM was incredibly irresponsible in deploying mandated multi-factor authentication for privileged accounts and failed to deploy available security technology that could have prevented or mitigated exfiltration of their most valuable security background examination files.
For privileged data or control access authentication, the phrase “password protected” has been an oxymoron for years – passwords are not defense, they are an invite to compromise. In addition to adequate authentication strength, complete network monitoring and visibility is required for prevention of sensitive data exfiltration. The Congressional examination blamed careless cyber hygiene and insufficient system traffic visibility for the opponents’ consistent presence in OPM networks.
Do Not Fail to Escalate the Alarm When Your Most Important Delicate Data Is Under Attack
In the OPM breach, observed attack activity “should have sounded a high level multi-agency nationwide security alarm that a sophisticated, relentless actor was looking to gain access to OPM’s highest-value data.” Instead, absolutely nothing of consequence was done “until after the agency was badly jeopardized, and until after the agency’s most sensitive information was lost to wicked actors.” As a CISO, sound that alarm in good time (or rehearse your panel appearance face).
Lastly, do not let this be said of your enterprise security posture:
The Committee received documentation and statements showing OPM’s info security posture was weakened by an incredibly unsecured IT environment, internal politics and administration, and misplaced top priorities related to the deployment of security tools that slowed essential security decisions.