OPM Breach – What Went Wrong?

Recently, a congressional investigation conducted by the U.S. House of Representatives’ Committee on Oversight and Government Reform reported that the two major data breaches suffered by the U.S. Office of Personnel Management (OPM) in 2014 and 2015 were indeed preventable and in fact, made worse by lax security regulations and ineffective management. The OPM is an organization that manages aspects of federal employment, such as background checks, for most government agencies. These massive attacks resulted in the compromise of sensitive data belonging to more than 22 million people.

Though there is some divergence amongst the political parties within the committee over who is to blame and how much progress OPM has made since being alerted of potential threat in 2005 via inspector general reports, the facts are undeniable – had the OPM implemented basic, required security controls and implemented modern security tools in a timely fashion once being alerted, they could have significantly mitigated, delayed, or prevented the damage inflicted by hackers. The specifics of how and when the intruders gained access to OPM’s network are not entirely clear but the report noted that there were several preemptive actions that were not addressed by OPM leadership. For example, OPM did not adopt two-factor authentication for remote logons until early 2015, though it had long been required of federal agencies. If they had employed this method sooner, they would have precluded continued access by the intruder into the OPM network (Krebs). Other suggestions included longer retention of chief information officers, reduction in the use of social security numbers, and implementation of better monitoring/security capabilities and tools. Needless to say, OPM has made some progress over the past year by implementing multi-factor authentication, hiring new cybersecurity advisors, and revamping their information technology infrastructure to one that is both modern and standardized.

How can you help prevent attacks like these for your own organization? Here are some basic tips to data breach prevention:

  • Establish end-user security awareness by conducting regular training so that all users are better trained to notice odd behavior that could potentially be a result of hackers. Additionally, establish policies concerning privacy and data security and distribute to all employees. Train employees to lock their machines when leaving their work stations, not to click on links from unknown senders, and to maintain good cyber hygiene.
  • Implement and maintain security tools that provide visibility and management of your organizational risk. Governance Risk and Compliance (GRC) platforms like RSA Archer and TraceSecurity TraceCSO provide platforms that simplify and automate IT and security risk management. Using these tools like Archer will also enable your organization to gain visibility into other areas by creating a dashboard of integrated security capabilities, such as vulnerability scan results and compliance remediation, with metrics and other visual information in one central location.
  • Implement and maintain efficient monitoring and privileged account management programs. CyberArk offers a variety of products designed to help protect your business through such tools.
    • CyberArk empowers organizations to record and monitor user activity during privileged sessions, helping security teams both deter and detect the unauthorized use of privileged accounts. Real-time privilege session monitoring enables security teams to detect suspicious activity as soon as it occurs and remotely terminate the session to minimize any potential damage. Additionally, searchable audit logs and session recordings are stored in a tamper-proof vault to prevent privileged users from editing or deleting their history and to be available for review after the fact in order to gain a clear understanding of the scope and severity of an incident.
  • Utilize patch management across all systems on your network. Don’t just rely on Windows updates to keep you safe because any and all software can introduce new vulnerabilities. Employ firewalls and anti-virus/spyware programs on all systems on your network, push out updates to all machines as needed to reduce vulnerabilities introduced by misconfiguration and unnecessary default services.
  • Back up your data securely. A remote data backup service will enable your organization to use its network safely to back up data effectively without having to worry about physical drives that can be lost or stolen. Additionally, mandate encryption of all data transmissions and only allow encrypted data to be downloaded onto portable media. Avoid using public wi-fi networks as they may facilitate the foreign interception of sensitive data.

If your organization has recently been impacted by a data breach or you are concerned that at least one of the practices above are not being enforced properly, CyberSheath has expert staff that can assess your organization’s security and determines the threat potential in any vulnerabilities you may have to prevent future attacks and data breaches. We provide services that assist clients in building and maintaining successful security programs through privacy assessment, security advising, and professional consulting services across a variety of tools including RSA Archer GRC and CyberArk.