If the intelligence coming through is correct, and a nation state is behind the cyber attack at the US Office of Personnel Management (OPM), then IT leaders have yet another problem to worry about.
State-sponsored hackers are not just after select pieces of geopolitically advantageous intel – they’re prepared to lift millions of records at a time from organisations to get what they’re looking for.
But what are they looking for? And how do we stop them?
Even in an industry where ‘major inflection points’ seem to come along every few months, the OPM attack is a big deal. Originally thought to have compromised the personal details of only around four million US government employees, that number may now have risen to as many as 14 million.
More importantly, the breach is now said to have compromised highly sensitive data on staff applying for security clearance roles in military or intelligence positions. This data could include whether an individual has a criminal record, any history of alcohol or drug abuse, filed for bankruptcy and so on, according to reports.
This is information that a foreign state would find hugely valuable. It could be used for blackmail, coercion and even for possible recruitment of spies. And let’s not forget that the wealth of personal information contained in these employee records can also be used to make follow-up spear phishing attacks even more sophisticated and hard to spot.
A chequered past
This isn’t the first time something like this has happened. In fact, an intrusion into the OPM was traced to China last year but the department seems not to have heeded an Office of the Inspector General report soon after criticising “significant” deficiencies in its security. A watchdog has now said the OPM underinvested in security for a decade. This should be a warning to organisations everywhere – you get the security you pay for.
There are also signs that the recent Anthem breach of 80 million health records, the Premera Blue Cross incident exposing 11 million customers, and an attack on Carefirst Blue Cross (1.1 million) were linked to each other and China.
We’ll probably never find out if it was a government-sanctioned mission. But so far some reports seem to suggest that this data isn’t finding its way onto the darknet, which would be a typical move if it were nabbed by cybercriminal gangs.
So what can we learn from this? IT leaders should already be on high alert about the major data theft threat posed by cybercrime gangs – and the huge resulting clean-up and legal costs, regulatory fines, and damage to brand and shareholder value.
Knowing this threat has expanded to nation-state operatives should serve as a timely reminder to get security strategies in order, especially for government contractors.
On the plus side, best practice security to mitigate the effects of an attack shouldn’t change, whether the attacker is a criminal gang or an army hacking unit.
Aim to secure systems at every step of the cyber “kill chain”, starting with human resources. Invest in education and awareness training, so more staff can spot those all-important spear-phishing emails, and react quickly to an incident.
Then look at intelligence gathering to see if you’ve become a target. After that, it’s all about good security housekeeping, including keeping up-to-date with patches to ensure software vulnerabilities can’t be exploited. Guidelines like those produced by NIST and GCHQ are there for a reason, so follow them.
It’s also important to classify and label data and apply policies accordingly – segregating if necessary according to sensitivity.
Some highly sensitive data may need to be kept in air-gapped data stores. Delete anything that’s no longer useful or relevant. You’ll also need to authenticate access to this data strictly, along the principle of least privilege, and put a full audit trail behind it. It can also be useful to run breach ‘war games’ from time to time to check incident response plans are working.
No business is safe from a determined attacker, but what the OPM consistently failed to do was make suitable efforts to manage the risk of a serious breach. It’s a cautionary tale we would all do well to learn from. One thing’s for certain: the Edward Snowden leaks pale in comparison to the wilful errors that made this breach possible.
Sourced from Bharat Mistry, Trend Micro