A government couldn’t face many worse breaches than the intrusion Washington discovered at the department that does security clearances for many civil servants.
Okay, you can be more imaginative than me. But the siphoning of records of some 22 million current and former U.S. government employees from the Office of Personnel Management (OPM) ranks as potentially one of the most catastrophic that country has seen.
Some details have emerged from Congressional testimony by leaders of the OPM and its parent, the Interior Department. According to report leaked to FCM.com, investigators believe hackers likely accessed OPM’s local-area network last year by stealing credentials (from a contractor according to another news report) and then planted malware that created a backdoor for exfiltration.
As with any breach, officials are careful about what is revealed in public, but already infosec pros believe there are lessons all organizations can take from what has been released so far. In this piece Glen Kemp of Fortinet Inc. makes a number of suggestions, including an argument that CIOs have been paying too much attention to the IT infrastructure library (ITIL) processes for IT service management. ITIL, he says “has made it difficult to implement changes that would maintain the integrity and confidentiality of computer systems.”
In other words, he argues, IT departments have been paying too much attention to making systems available and not enough to integrity and confidentiality (also known as the CIA triad for information security).
Your organization not harnessed to ITIT? Then Kemp’s other lessons are also useful: every employee should have basic IT security training, and IT staff should be given deeper training; and penetration testing needs to be more aggressive.
For another take on the OPM attack, columnist and identity and access management expert Michele Chubirka says the incident was akin to negligence by the heads of its IT department, accusing them of “clueless leadership that flunked at basic strategy and risk management.”
As pointed out by at least one previous audit by the federal inspector general, the OPM didn’t have a comprehensive inventory of servers, databases and network devices, so that’s her lesson one. “Good asset management is the cornerstone of all security controls, providing context for addressing vulnerabilities in relation to identified threats,” she writes. “Unfortunately, this failure is all too common within organizations.”
Proper data governance, including data classification. encryption and restricted data access, are other lessons. And, of course, there’s those pesky passwords, in this case apparently lifted from a third party contractor. “Time and again, compromised passwords are identified as the culprit in breaches, but organizations still refuse to give up their love affair with this commonly exploited weakness,” Chubirka writes.
The OPM hack provides many lessons for every organization. Ignore them at your peril.