OPM Breach Review Sends Out Strong Message To CISO’s – Chuck Leaver

Written by Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Cyber attacks, attributed to the Chinese federal government, had breached delicate workers databases and stolen data of over 22 million present, former, and potential U.S. civil servants and family members. Stern cautions were overlooked from the Office of the Inspector General (OIG) to close down systems without present security authorization.

Presciently, the OIG particularly warned that failure to shut down the unauthorized systems brought national security ramifications. Like the captain of the Titanic who preserved flank speed through an iceberg field, the OPM reacted,

” We concur that it is very important to preserve updated and valid ATO’s for all systems however do not believe that this condition rises to the level of a Material Weakness.”

Furthermore the OPM worried that closing down those systems would suggest a lapse in retirement and worker benefits and incomes. Provided a choice in between a security lapse and an operational lapse, the OPM decided to operate insecurely and were pwned.

Then director, Katherine Archuleta, resigned her position in July 2015, a day after revealing that the scope of the breach greatly exceeded original damage assessments.

In spite of this high value information kept by OPM, the agency cannot prioritize cyber security and adequately safe high value data.

Exactly what Can CISO’s learn from this?

Logical CISO’s will wish to prevent career immolation in a massive flaming data breach catastrophe, so let’s rapidly examine the key lessons from the Congressional report executive summary.

Focus on Cybersecurity Corresponding with Asset Value

Have an effective organizational management structure to carry out risk appropriate IT security policies. Chronic lack of compliance with security best practices and lagging recommendation execution timelines are signs of organizational failure and bureaucratic atherosclerosis. Shock the organization or prepare your post-breach panel appearance before the inquisitors.

Do Not Endure a Complacent State of Info Security

Have the required tracking in place to keep crucial situational awareness, leave no visibility gaps. Don’t fail to comprehend the scope or degree or gravity of cyber attack indicators. Assume if you determine attack indicators, there are other indications you are missing. While OPM was forensically monitoring one attack avenue, another parallel attack went unnoticed. When OPM did act the cyber attackers understood which attack had been found and which attack was still successful, quite important intelligence to the assailant.

Enforce Fundamental Required Security Tools and Expeditiously Deploy Cutting-Edge Security Tools

OPM was woefully irresponsible in executing mandated multi-factor authentication for privileged accounts and didn’t release available security technology that could have prevented or reduced exfiltration of their most valuable security background investigation files.

For privileged data or control access authentication, the phrase “password protected” has actually been an oxymoron for several years – passwords are not security, they are an invitation to jeopardize. In addition to sufficient authentication strength, total network tracking and visibility is needed for avoidance of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and insufficient system traffic visibility for the hackers’ consistent existence in OPM networks.

Don’t Fail to Escalate the Alarm When Your Critically Delicate Data Is Under Attack

In the OPM breach, observed attack activity “should have sounded a high level multi agency nationwide security alarm that a sophisticated, persistent actor was seeking to gain access to OPM’s highest-value data.” Rather, nothing of consequence was done “up until after the agency was badly jeopardized, and till after the agency’s most delicate info was lost to wicked actors.” As a CISO, sound that alarm in good time (or practice your panel look face).

Finally, do not let this be said of your business security posture:

The Committee obtained documentation and statements showing OPM’s info security posture was weakened by an incredibly unsecure IT environment, internal politics and administration, and misplaced priorities related to the release of security tools that slowed essential security decisions.

Leave a Reply

Your email address will not be published. Required fields are marked *