OPM Breach Analysis: Many Failures Highlight the Cost of Risk Ignorance
June 19, 2015 Leave a comment
- OPM’s data breach may have been prevented by any number of widely used security controls.
- However, OPM’s biggest failing was in not applying security controls in measure equal to its risk.
Given the catastrophic nature of the recently discovered data breach at the U.S. Office of Personnel Management (OPM), it’s clear both the investigation and the finger-pointing will continue for some time. However, it’s not too soon to highlight not only the security controls that may have prevented or mitigated the damage, but also the inevitable disaster that will result for any organization which fails to implement information security in equal measure to its risk.
Government officials say that China-based threat actors infiltrated OPM, essentially the government’s HR division, on at least two occasions and, over a period of many months, exfiltrated data on as many as 14 million current and former U.S. government employees and contractors. The stolen data includes names, addresses, birth dates and Social Security numbers (SSNs), as well as more than 30 years’ worth of ‘top secret’ security clearance background checks, which include everything an attacker would ever want to know about a target, from detailed financial records to names of family and friends. It’s a worst-case scenario straight out of Mission: Impossible; bad guys stole our NOC list, and this time, we didn’t even know it was gone.
So, what went wrong? It’s a long list, but here’s what stands out:
- OPM didn’t use multifactor authentication (MFA), which is incomprehensible for a data trove that valuable. It’s believed attackers used social engineering to acquire valid logins, but had MFA been in place, passwords alone wouldn’t have got them in.
- In a hearing before Congress, OPM said its data wasn’t encrypted. While it may not have mattered in this case (due to the valid logins), enterprises that don’t encrypt all instances of SSNs and other data that sensitive are simply acting irresponsibly. Encryption still represents a significant barrier to theft in many cases.
- The compromise was reportedly discovered during a threat detection vendor demo. What if it had been in place six months sooner? Threat detection systems are now table stakes for every enterprise security program, midsize and up.
- Researchers say indicators of compromise show the same techniques were used in the OPM breach and the recent attacks on healthcare providers. This invaluable insight is exactly what threat intelligence services are designed to provide. OPM and other high-risk enterprises should use threat intelligence to feed IoCs into their threat detection systems; it’s the cutting-edge way to spot the old dogs despite their new tricks.
- And, when all else fails, data exfiltration prevention, especially egress traffic monitoring, could have been key to thwarting the slow drip of data theft that likely occurred over weeks and months.
The government’s biggest single mistake though wasn’t related to any single product or technology, but failing to recognize that the risk scenario more than justified a far more substantial set of security controls. The loss of the OPM data will result in millions if not billions in damages, place many lives in danger around the world, and strike a damaging blow to many aspects of the U.S. government for years to come.
It’s hard to conceive of a greater risk than the loss of this data, yet it clearly wasn’t sufficiently protected. And that must be the biggest lesson from the OPM breach: security must be applied in equal measure to risk. In this case, the risk was sky high and security was grievously lacking. For OPM, and for the nation, it’s a costly lesson.