SecureState Blog

Read SecureState's award winning blog.

In early June, the United State Office of Personnel Management (OPM) announced that it had been the victim of what is probably the worst hack in U.S. history. OPM manages the personal data of millions of Federal employees going back at least 30 years. OPM’s role as a high impact target of Federal data should have meant that they had stringent security controls in place to minimize data loss. Unfortunately, hackers were able to compromise between 18 and 32 million records containing sensitive personal information. These records include information on sexual, medical, and psychiatric history; family member personal information; debts; and other material that could be used to blackmail a Federal employee. Unfortunately, outdated security programs are not unique to OPM and are a systemic problem among Government agencies and private industry. Based on the limited information released by OPM, SecureState believes the following shortcomings were significant contributors to the breach and that all organizations should ensure they can prevent similar attacks.

Lack of Data Understanding

OPM Director Katherine Archuleta has been a little cagy regarding the number of records obtained by hackers. Although OPM is trying to protect itself until an exact number can be determined, nailing down an exact number seems to be proving difficult. This is likely due to the fact that OPM does not fully understand the types of data it is holding, its classification, and where the data is located. Due to the inter-connectivity between different systems and business processes, data probably resides in systems, applications, databases, and file shares that OPM does not even realize are not providing the necessary information protection, authentication, and confidentiality. In particular, the Federal Government has shown an inability to properly control who has access to sensitive data. For example, the White House estimated that 134,280 federal accounts have privileged access to various systems.

What can you do to protect your organization?

A misunderstanding of data is an issue that SecureState encounters at many organizations. All organizations should maintain at least a basic understanding of where their data resides, how it interconnects, who has access, and protections in place. This is especially crucial for organizations trying to maintain regulatory compliance, such as PCI or HIPAA.

Flat Network

Based on SecureState’s experience, a flat network probably went hand-in-hand with a lack of data awareness to ensure that the OPM breach was as devastating as possible. The hackers were able to infiltrate a Government contractor’s systems and pivot to OPM’s personnel records and the system holding background check investigation data. These systems should have been segmented on separate networks or VLANs protected behind firewalls to prevent to ensure that access to one area of the network did not mean a resource or user would have access to the entire network (which does not appear to have been the case.

What can you do to protect your organization?

Once your organization understands its data flow, you should review your current controls to ensure that they are effectively segmenting data and limiting the possibility of information exposure. You should also ensure that your organization has an effective patch management policy that accounts for every system.

Out-of-Date Architecture

Out-of-date systems and architecture is a common problem for many of SecureState’s customers, but it is even worse at Federal Government agencies. OPM is still running systems based on Windows XP for which Microsoft officially ended support on April 8th of last year. Presumably, the government has been giving large amounts of money to Microsoft for additional extended support. In addition to outdated operating systems, OPM had numerous systems running mainframe applications running on COBOL code that had not been updated in over 15 years. The out-of-date systems contributed to OPM’s inability to encrypt sensitive files, making them much easier for hackers to obtain. The OPM released a list of actions that it plans to take to modernize its security program. OPM’s goal to migrate to a new IT environment stands out as the biggest hurdle. If OPM does not have simple security best practices in place, how can they expect to securely handle migrating an entire environment? It looks like an independent inspector general’s office at OPM came to the same conclusion. Hopefully, the OPM takes the IG’s report and increased Congressional scrutiny to heart and approaches its infrastructure with a renewed emphasis on change management and security best practices.

What can you do to protect your organization?

SecureState encounters a lot of organizations that are using vulnerable legacy systems, especially Windows XP (and very soon, Windows Server 2003). Unless you are shelling out the big bucks for specialized Microsoft support, your Windows XP-based systems are highly vulnerable to an attack.

Inadequate Security Monitoring and Vendor Management

One of the most damning reveals following the breach was that OPM has admitted that less than half of its major IT systems are protected by a security information and event management (SIEM) solution. Of 47 major systems, 25 are managed by contractors with no security monitoring from OPM. Many of OPM’s systems did not undergo any security testing, or testing did not occur frequently enough.

What can you do to protect your organization?

Your organization can minimize similar vulnerabilities through the two “VMPs”: Vulnerabilityand Vendor Management  Programs. A vulnerability management program will ensure that systems are continuously identified, classified, assessed for vulnerabilities, and remediated for vulnerabilities. Vendor management ensure that your vendors with access to critical systems and data maintain the same strict security controls that you do.

Although your organization may not handle records as numerous or sensitive as OPM, you should still be aware of what that data is, how it is being protected, and who is accessing it. If there is a silver lining to the OPM breach, it is that organizations may recognize their own information security vulnerabilities and take proactive steps to prevent attacks.