Reviewing OPM Breach Provides Clear Messages For CISO’s – Charles Leaver

Written by Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


Cyber attacks, credited to the Chinese federal government, had actually breached sensitive personnel databases and stolen data of over 22 million present, previous, and prospective U.S. civil servants and family members. Stern warnings were overlooked from the Office of the Inspector General (OIG) to close down systems without existing security authorization.

Presciently, the OIG particularly cautioned that failure to close down the unapproved systems brought national security ramifications. Like the captain of the Titanic who kept flank speed through an iceberg field, the OPM responded,

” We agree that it is very important to preserve up-to-date and valid ATO’s for all systems but do not think that this condition rises to the level of a Material Weakness.”

Furthermore the OPM stressed that closing down those systems would suggest a lapse in retirement and worker benefits and incomes. Given a choice in between a security lapse and an operational lapse, the OPM chose to operate insecurely and were pwned.

Then director, Katherine Archuleta, resigned her office in July 2015, a day after exposing that the scope of the breach significantly exceeded initial assessments.

Despite this high worth information kept by OPM, the agency cannot focus on cyber security and properly safe and secure high value data.

Exactly what Can CISO’s learn from this?

Logical CISO’s will wish to prevent career immolation in an enormous flaming data breach disaster, so let’s rapidly examine the essential lessons from the Congressional report executive summary.

Focus on Cybersecurity Commensurate with Asset Value

Have an efficient organizational management structure to implement risk-appropriate IT security policies. Chronic absence of compliance with security best practices and lagging suggestion application timelines are signs of organizational failure and bureaucratic atherosclerosis. Shock the company or make preparations for your post-breach panel grilling before the inquisitors.

Do Not Endure a Lax State of Info Security

Have the needed tracking in place to maintain crucial situational awareness, leave no visibility gaps. Don’t fail to comprehend the scope or extent or gravity of cyber attack signs. Presume if you recognize attack indications, there are other indications you are missing out on. While OPM was forensically observing one attack channel, another parallel attack went unseen. When OPM did take action the hackers understood which attack had actually been identified and which attack was still successful, rather important intelligence to the opponent.

Mandate Basic Required Security Tools and Quickly Implement State Of The Art Security Tools

OPM was incredibly negligent in deploying mandated multi-factor authentication for privileged accounts and didn’t release available security technology that might have prevented or alleviated exfiltration of their most important security background investigation files.

For restricted data or control access authentication, the phrase “password safeguarded” has actually been an oxymoron for years – passwords are not security, they are an invitation to compromise. In addition to adequate authentication strength, total network monitoring and visibility is requisite for avoidance of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and inadequate system traffic visibility for the opponents’ persistent presence in OPM networks.

Do Not Fail to Intensify the Alarm When Your Most Delicate Data Is Under Attack

In the OPM breach, observed attack activity “need to have sounded a high level multi agency nationwide security alarm that a sophisticated, relentless actor was seeking to gain access to OPM’s highest-value data.” Instead, nothing of consequence was done “until after the agency was severely compromised, and until after the agency’s most sensitive information was lost to dubious actors.” As a CISO, activate that alarm in good time (or rehearse your panel look face).

Finally, don’t let this be stated of your business security posture:

The Committee acquired documents and statements showing OPM’s info security posture was undermined by an incredibly unsecured IT environment, internal politics and bureaucracy, and inappropriate priorities related to the implementation of security tools that slowed essential security choices.

Leave a Reply

Your email address will not be published. Required fields are marked *