OPM Breach Review: A Lesson for CISO’s
Cyber attacks, attributed to the Chinese government, had breached sensitive personnel databases and stolen data of over 22 million current, former, and prospective U.S. government employees and family members. Stern warnings were ignored from the Office of the Inspector General (OIG) to shut down systems without current security authorization.
Presciently, the OIG specifically warned that failure to shut down the unauthorized systems carried national security implications. Like the Titanic’s doomed captain who maintained flank speed through an iceberg field, the OPM responded,
Additionally the OPM worried that shutting down those systems would mean a lapse in retirement and employee benefits and paychecks. Given a choice between a security lapse and an operational lapse, the OPM chose to operate insecurely and were pwned.
Then director, Katherine Archuleta (shown above, on panel’s left), resigned her office in July 2015, a day after revealing that the scope of the breach vastly exceeded original damage assessments.
Prioritize Cybersecurity Commensurate with Asset Value
Have an effective organizational management structure to implement risk-appropriate IT security policies. Chronic lack of compliance with security best practices and lagging recommendation implementation timelines are indicators of organizational failure and bureaucratic atherosclerosis. Shake up the organization or prepare your post-breach panel appearance before the inquisitors (see above photo for appropriate facial expressions).
Do Not Tolerate a Lax State of Information Security
Have the necessary monitoring in place to maintain critical situational awareness, leave no observation gaps.Do not fail to comprehend the scope or extent or gravity of attack indicators. Assume if you identify attack indicators, there are other indicators you are missing. While OPM was forensically observing one attack avenue, another parallel attack went unobserved. When OPM did take action the attackers knew which attack had been detected and which attack was still successful, quite valuable intelligence to the attacker.
Mandate Basic Required Security Tools and Expeditiously Deploy Cutting-Edge Security Tools
OPM was woefully negligent in implementing mandated multi-factor authentication for privileged accounts and failed to deploy available security technology that could have prevented or mitigated exfiltration of their most valuable security background investigation files. For privileged data or control access authentication, the phrase “password protected” has been an oxymoron for years—passwords are not protection, they are an invitation to compromise. In addition to adequate authentication strength, complete network monitoring and visibility is requisite to prevention of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and inadequate system traffic visibility for the attackers’ persistent presence in OPM networks.
Do Not Fail to Escalate the Alarm When Your Most Sensitive Data Is Under Attack
In the OPM breach, observed attack activity “should have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data.” Instead, nothing of consequence was done “until after the agency was severely compromised, and until after the agency’s most sensitive information was lost to nefarious actors.” As a CISO, sound that alarm in time (or practice your panel appearance face).
Finally, don’t let this be said of your enterprise security posture: