The problem with taking a vacation is that interesting things always happen when you’re away. So I’m playing catch-up on the release last week of the Congressional report into the huge data breach at the U.S. Office of Personnel Management, which we’ve reported on earlier.
For those who need a reminder, attackers made off with personnel files of 4.2 million former and current U.S. government employees, and security clearance background investigation information on 21 million individuals – including fingerprints of 5.6 million of them.
“The damage done by the loss of the background investigation information and fingerprint data will harm counterintelligence efforts for at least a generation to come,” the 241 page report says in part.
Among the lessons learned from this embarrassing attack – particularly for large organizations with legacy systems – is that putting off or failing to prioritize cybersecurity is fatal. As far back as 2005 the inspector general of OPM warned that information held by the department was at risk. But, the report says, among the problems was an “absence of an effective managerial structure to implement reliable IT security policies.”
The agency also failed to implement a longstanding federal requirement to use multi-factor authentication for staff and contractors who log onto the network.
Discovery of the breach began March 20, 2014 when the U.S. Department of Homeland Security’s computer emergency response team notified OPM’s computer incident response team that an unnamed third party had detected a data leak. However, the report says, “senior leadership” failed to understand the extent of the compromise: While it found and locked out one hacker after discovering they had installed a key logger onto several database administrators’ workstations, it was too later: Manuals and other descriptive information had been stolen. But around the same time OPM missed another attacker who used the credentials of a contractor that helps do background checks in May to login, installed malware and created a backdoor. This attacker could have leveraged the material stolen by the first hacker, the report says.
(It is believed these attackers gained access in late 2013; other evidence showed someone had access to the network in 2012.)
Meanwhile in April, 2014 someone registers the domain “opmsecurity.org” in the name of Steven Rogers (for those who don’t know, that’s the action hero Captain America) and uses it for command and control and data exfiltration.
In July, after gaining domain administrator credentials, the second attacker began exfiltrating data. The same month someone registered “opmlearning.org” in the name of Tony Stark (action hero Iron Man – who says hackers don’t have a sense of humor), also for command and control.
It wasn’t until almost a year later that OPM realized systems had been compromised.
“Had OPM implemented basic, required security controls and more expeditiously deployed cutting- edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented or significantly mitigated the theft,” says the report.
The report castigates management, saying the “longstanding failure … to implement basic cyber hygiene such as maintaining current authorities to operate and employing strong multi-factor authentication … represents a failure of culture, not technology.”
There aren’t any Canadian organizations with IT systems as big and complex as those in Washington. The report says U.S. federal agencies spend over US$89 billion a year on IT, most of it on maintaining and operating legacy IT systems.
Still, that doesn’t absolve any organization from not having a complete inventory of all software and hardware, from identifying and prioritizing the protection of sensitive data assets, and from limiting access to sensitive data through multifactor authentication.