U.S. Congressional report blames management for huge federal breach

The problem with taking a vacation is that interesting things always happen when you’re away. So I’m playing catch-up on the release last week of the Congressional report into the huge data breach at the U.S. Office of Personnel Management, which we’ve reported on earlier.

For those who need a reminder, attackers made off with personnel files of 4.2 million former and current U.S. government employees, and security clearance background investigation information on 21 million individuals – including fingerprints of 5.6 million of them.

“The damage done by the loss of the background investigation information and fingerprint data will harm counterintelligence efforts for at least a generation to come,” the 241 page report says in part.

Among the lessons learned from this embarrassing attack – particularly for large organizations with legacy systems – is that putting off or failing to prioritize cybersecurity is fatal. As far back as 2005 the inspector general of OPM warned that information held by the department was at risk. But, the report says, among the problems was an “absence of an effective managerial structure to implement reliable IT security policies.”

The agency also failed to implement a longstanding federal requirement to use multi-factor authentication for staff and contractors who log onto the network.

Discovery of the breach began March 20, 2014 when the U.S. Department of Homeland Security’s computer emergency response team notified OPM’s computer incident response team that an unnamed third party had detected a data leak. However, the report says, “senior leadership” failed to understand the extent of the compromise: While it found and locked out one hacker after discovering they had installed a key logger onto several database administrators’ workstations, it was too later: Manuals and other descriptive information had been stolen. But around the same time OPM missed another attacker who used the credentials of a contractor that helps do background checks in May to login, installed malware and created a backdoor. This attacker could have leveraged the material stolen by the first hacker, the report says.

(It is believed these attackers gained access in late 2013; other evidence showed someone had access to the network in 2012.)

Meanwhile in April, 2014 someone registers the domain “opmsecurity.org” in the name of Steven Rogers (for those who don’t know, that’s the action hero Captain America) and uses it for command and control and data exfiltration.

In July, after gaining domain administrator credentials, the second attacker began exfiltrating data. The same month someone registered “opmlearning.org” in the name of Tony Stark (action hero Iron Man – who says hackers don’t have a sense of humor), also for command and control.

It wasn’t until almost a year later that OPM realized systems had been compromised.

“Had OPM implemented basic, required security controls and more expeditiously deployed cutting- edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented or significantly mitigated the theft,” says the report.

The report castigates management, saying the “longstanding failure … to implement basic cyber hygiene such as maintaining current authorities to operate and employing strong multi-factor authentication … represents a failure of culture, not technology.”

There aren’t any Canadian organizations with IT systems as big and complex as those in Washington. The report says U.S. federal agencies spend over US$89 billion a year on IT, most of it on maintaining and operating legacy IT systems.

Still, that doesn’t absolve any organization from not having a complete inventory of all software and hardware, from identifying and prioritizing the protection of sensitive data assets, and from limiting access to sensitive data through multifactor authentication.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now