One of the problems chief executives face is the never-ending demands on the company’s resources — sales and marketing warns about encroaching competitors, research and development warns about new technologies that need to be exploited and security — well these days it’s a bottomless pit.
But if security doesn’t get pushed to the head of the list it could prove catastrophic. The just-discovered breach of perhaps four million records at the U.S. Office of Personnel Management, which manages the hiring and security clearance of most civil servants, is a perfect example.
According to the New York Times an inspector-general’s report last November found
–the agency didn’t have an inventory of all the computer servers and devices with access to its networks;
–didn’t require anyone gaining access to information from the outside to use multifactor authentication;
–didn’t regularly scan for vulnerabilities in the system;
–ran 11 of the 47 computer systems that were supposed to be certified as safe for use last year without a valid authorization.
Exactly how the data was exfiltrated hasn’t been explained, but the assumption is access credentials were compromised. That would have allowed attackers to legitimately compile a list of staffers.
The Washington Post says intruders gained access to information that included employees’ Social Security numbers, job assignments, performance ratings and training information.
“The problems were so severe for two systems that hosted the databases used by the Federal Investigative Service, which is responsible for the background investigations for officials and contractors who are issued security clearances, that the inspector general argued for temporarily shutting them down because the security flaws ‘could potentially have national security implications.'” the Times quotes the inspector-general’s report as saying.
Donna Seymour, the chief information officer at the Office of Personnel Management, said that installing multifactor authentication on the department’s “antiquated environment” was difficult and very time consuming, and that her agency had to perform “triage” to determine how to close the worst vulnerabilities.
Upgrades to the legacy systems were under way last year, and, in fact, last summer a breach was detected. But another attack started in December. The suspicion is a Chinese-based group responsible.
What could one do with a database of employees? In this case, find ones with sensitive security clearance and target them with phishing attacks. Or, merge that database with one of hospital records to identify civil servants with health problems.
The attack should be a wake-up call to Canadian organizations that are slumbering to step up the pace of security improvements. The obvious targets — federal and provincial governments, law enforcement and intelligence agencies, the financial sector, utilities and the retail sector — have been acting, although we only find out after the fact if it’s been fast enough.
Small and medium-sized businesses, thought, should not be complacent. As the Target breach demonstrated, the way into a huge retailer can be through a contractor that connects
So the questions to be asked of every IT security pro are is your organization doing everything it can to be secure? Does it have an inventory of all devices that connect to the network? Is it making use of multifactor authentication to restrict access to sensitive data? Does it regularly scan for vulnerabilities? Does it monitor who has access to sensitive data. Does it monitor traffic leaving the enterprise?
If not, are you prepared to face the CEO?