You may have heard about the OPM (U.S. Office of Personnel Management) hack that occurred recently. Attackers were able to steal millions of records of federal employee data. This is the third successful attack against a federal agency this year.
I've seen a lot of media attention being paid to the fact that the data wasn't encrypted, redacted or obfuscated in some way. While I agree this is a gap in security, the news media loves to broadly simplify this kind of attack into a single simple check box for the failure. In reality, breaches go far deeper. In this case, based on more security focused reports and the latest audits of OPM, what comes out is a poorly constructed security program with many gaps. Unfortunately it's not exciting or easy to report on so something like "Social Security Numbers were NOT encrypted" gets wrapped with a bow and becomes the focus.
In reality this kind of attack should be recognized and mitigated before access to data occurs or soon after. The more concerning piece of this story is that the attackers went unnoticed for many months possibly more than a year! This is at the core of the problem. With the sophistication of attacks and attackers there is no way to stop all of them you must have a robust detection and response strategy and be constantly evolving. Based on the high level information I've seen with this breach, three key pieces that I feel are much more important come out.
1. The lack of a solution to detect advanced malware.
In today's environment, organizations must have a method to detect advanced and zero day malware behavior. It's become a standard of best practice. OPM was in the beginning stages of implementing a solution the federal government uses called "Einstein" when the breach was identified. Actually, it was this effort that detected the strange network behavior that eventually led to finding the breach.
At WSECU, we implemented advanced malware detection and it's been a valuable asset to the security program.
2. OPM didn't have any focused security personnel employed.
Organizations must have dedicated staff focusing on the organizations security operations. This is a fine-tuned skill set focused on the task of security and it's asking too much of IT staff to perform normal "keep the lights on" operations and security operations especially for an organization as large as OPM.
At WSECU we've hired two security-focused positions to keep a close eye on our security operations, architecture and program. This has taken the burden off of IT operations so they can focus on quality service delivery.
3. No multi-factor authentication for remote access to the network.
This is just basic. If an attacker can gain credentials from personnel through phishing and replay them on an Internet-available system to gain access to the network, it makes their job too simple and a juicy target. This is a HUGE gap in security with OPM currently and is likely the initial entry point for attackers.
At WSECU we've implemented multi-factor authentication for all our remote access services to minimize this easy in for attackers.
Moving forward at WSECU, we are putting more focus into our security program to gain even deeper security vision into our network and its operations as well as focus on being faster to respond to security events. We will continue to grow, tune our solutions and processes to meet the growing threats in cyberspace. Just remember, any company can be breached. It's a matter of how fast you respond that makes the difference.