Pakhnyushchyy - Fotolia
OPM hack two months later: What was learned?
Network security expert Michele Chubirka shares her thoughts about June's OPM hack and what steps IT should take to fend off future attacks.
Editor's note: For a different perspective on the OPM hack, read what Glen Kemp believes are the steps federal IT admins need to take to prevent a similar attack from occurring again.
When Office of Personnel Management (OPM) Director Katherine Archuleta gave her cringe-worthy testimony before Congress earlier this summer, it felt like a nightmare from the IT collective unconscious. A series of embarrassing appearances revealed she didn't seem to know essential details of the OPM hack or understand the problems that allowed OPM to be compromised twice in one year. Her resignation seemed a forgone conclusion and a relief for the .GOV crowd.
So what went wrong?
It would be a mistake to categorize the compromise as simply a failure in OPM's security strategy, because the agency's entire information technology program was a management catastrophe -- a guidebook in what not to do. In watching testimony and reading reports from the Office of the Inspector General (OIG), it isn't only the security failures that stand out, but clueless leadership that flunked at basic strategy and risk management. This kind of negligence is all too familiar to those of us with any tenure in IT. Reading those OIG reports feels like déjà vu, because they could be about almost any enterprise.
Prior to detection of the OPM hack, OIG IT security audits since 2009 repeatedly noted problems with OPM's program. According to a story about the breach in The Washington Post, Michael Esser, an OPM assistant inspector general, said the agency's "long history of systemic failures to properly manage its IT infrastructure may have ultimately led to the security breaches and loss of sensitive personal data…."
Lessons learned from the OPM hack range far and wide
Lesson 1: You need asset management. One of the key issues related to the agency's poor oversight of assets was a lack of visibility into its fundamental network infrastructure. According to the audit, "OPM does not maintain a comprehensive inventory of servers, databases and network devices." Moreover, while OPM had a configuration management policy, there were no standards established or an attempt to verify compliance. The vulnerability scanning program was also ineffective, because OPM's Network Management Group couldn't verify that the monthly scans were conducted for all servers. Without governance of resources, how can an enterprise know what to secure? Good asset management is the cornerstone of all security controls, providing context for addressing vulnerabilities in relation to identified threats. Unfortunately, this failure is all too common within organizations.
Lesson 2: Data governance is a 'must,' not a 'should.' Another crucial point uncovered during the hearings was that critical government employee data, such as Social Security numbers and financial information, wasn't encrypted in the database. The agency also kept a large amount of Standard Form 86 data -- gathered from previous national security-related background checks. Without a data retention policy, OPM couldn't say with any degree of confidence how many records were actually compromised. While encryption won't always stop an attacker with stolen credentials from accessing data, it's a beneficial control that can make exfiltration or compromise difficult from a low-privilege account. OPM was missing one of the most important components of its information security program: data governance. Data classification and data handling standards become the building blocks for access control.
As a best practice, access control should represent the intersection of data classification with user classification. Data has value and it should be organized according to disclosure, sensitivity to loss and unavailability. Then it should be segregated accordingly with rules for handling "at rest," "in transit" and by the type of user who may interact with it. A good maxim to follow: If you don't need it, delete it. Otherwise it can be compromised, misused or worse, subpoenaed. This applies to information such as email, logs, payment card information and HR data. Encryption is a poor second. The simple truth is that you can minimize the scope of a breach by having less data to compromise.
Lesson 3: Document and monitor your infrastructure. According to reports, OPM was in the midst of an entire modernization of its ageing infrastructure when the breach was finally detected. But according to the OIG report, the agency didn't properly understand the project's scope nor did it adequately consider the time necessary to migrate data to the new foundation.
The impetus fueling the modernization project was a combination of OPM's legacy architecture with a number of unsupported platforms -- including JRun -- and a mainframe with COBOL code that hadn't been updated since the Y2K bugs were fixed. But the project was absent dedicated funding; instead, money was being tapped from existing program office operating budgets. This put completion of the upgrade at risk. Successful security monitoring depends upon a stable, well-documented architecture with visibility points provided by taps, aggregation switches and log data, but OPM's infrastructure was a moving target, creating blind spots in security monitoring.
Lesson 4: Passwords still an Achilles' heel. According to FBI investigators, stolen credentials from OPM contractor KeyPoint were identified as the point of entry for attackers. Time and again, compromised passwords are identified as the culprit in breaches, but organizations still refuse to give up their love affair with this commonly exploited weakness. Maybe it's the level of effort involved with implementing multifactor authentication in an organization, especially when legacy systems are involved. Regardless, it's time to retire this much-abused authentication method, because it's causing nothing but grief for security teams.
Lesson 5: Manage your third-party relationships. As previously mentioned, credentials from a contractor were identified as the source of the OPM hack. In addition, according to one account, consultants from Argentina and China had admin access to OPM databases. This raises questions about who was actually accountable for safeguarding this data. Almost every major compromise of the last few years has been attributed to a third party, but organizations still struggle with managing outsourced relationships. When you allow third parties into your environment, you take on their risk in addition to your own. You need to identify each one of these relationships and assess how this will impact the enterprise's risk profile. One of the best ways to accomplish this is through a dedicated third-party security program with a well-documented onboarding process.
When will we finally learn?
Rep. Jason Chaffetz (R-Utah), seemed to speak for every enterprise when he accused OPM of simply "boarding up the windows" in response to the OPM hack and wondered if a "trip to Best Buy" could better solve the agency's problems. Yet how often does enterprise IT mirror the OPM money pit, albeit one with $577 million spent since 2008, 80% of it on legacy systems? Many in the security industry will focus on the foreign actors involved, but it's more of a distraction and keeps us from addressing the real concerns. The harsh truth is that most security problems can be solved with mundane controls such as asset management, data governance, configuration standards and documentation. Moreover, enterprises would be better served by IT organizations that focused more on risk management and strategy, and less by those merely chasing the latest technology trends.