The recent breach of the computer network of the US Office of Personnel Management (OPM) highlighted the substantial gaps in the US government’s security infrastructure.
This breach goes to show that no matter how big the government, company or corporation, any entity can be at risk from hacking attacks and that the repercussions can be devastating. The US federal mainframe is protected by state-of-the-art defence systems, yet this didn’t stop the data of up to 20 million individuals from being exposed.
So, if the US Office of Personnel Management with the full resources of the US Government at its disposal can get hacked, what hope is there really for the rest of us?
How can you protect your organisation from cyber attack?
For many, the risks posed from potential cyber attackers are constantly evolving. The identity, resources and motivations of those that might engineer an attack can change, as can the methods that they have access to. The third dimension is the organisation that needs to protect, which is also likely to be dynamic.
Such a volatile environment does not require a solution as much as an on-going risk management program. This should draw upon informed, independent security advice from seasoned, qualified professionals. A risk management program will include a comprehensive security review of the environment that needs protecting and lead to the implementation of the recommended policy, process, procedure and technical controls in a timely manner.
Done well, an on ongoing risk management program helps organisations dedicate appropriate resources to necessary security activities and required solutions. Planning and allocating resources in this way can ensure against misspent budget, which can be expensive and leave an organisation open to risk, truly the worst of all scenarios.
Whilst the exact circumstances of the attacks on OPM may not be made public, reading the Federal Information Security Management Act Audit Report, Dated November 12, 2014, assessing OPM’s security program and practices, it shows that key security activities had been either totally absent or in some cases only partially applied for several years. Coupled with smaller compromises made by their delivery partner KeyPoint Government Solutions from 2014, this huge breach was as predictable as a plot line on a soap opera.
Securing the network and critical applications
Securing the network and critical applications is a big topic, and hindsight is always 20:20, however, the following steps are the foundations upon which OPM’s security programme should be built:
Implement fundamental controls across the board and using accredited firewalls and VPN solutions both externally and internally, as well as limiting access to authorised users only.
Use two-factor authentication for external and internal access to sensitive applications and hosts.
Where passwords are necessary, use long complex phrases (including upper and lower case letters, extended characters and numbers) and change them on a regular basis; and not sharing passwords between users or hosts.
For system administrators accessing privileged accounts on highly sensitive systems, we recommend using an intermediary solution that enforces an authorisation process to access privileged accounts that requires two factor authentication to first identify the administrator; the solution then enters the password on the target hosts, so the administrator does not need to know it and finally the solution changes password on the target system at the end of each session.
Segregate hosts from those with a different trust level – e.g. hosts that manage security; database hosts with large numbers of sensitive records; low trust user workstations etc. should all be segregated into their own zones with appropriate access control and monitoring between the zones.
Encrypt sensitive database contents with robust encryption.
Apply Vendor Security Patches (VSPs) in a timely manner at both the OS and application layer. (Note the OPM Audit Report confirmed that many security actions were outstanding longer than 120 days).
If you are unable to patch an application – apply additional compensating controls such as; tighter segregation; host and network based virtual patching solutions; increased Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) settings; increased monitoring and investigation for alerts targeting critical or known vulnerable hosts.
Require all third parties that have access to your environment to adhere to strict security controls applicable to your environment. Independently audit that expected controls are in place at least annually. Note: many attacks will compromise a third party in order to access the target organization.
Implement some form of Data Leakage Prevention solution on hosts and at your perimeters, that blocks encrypted files from leaving the site; and searches for data matching specific criteria (e.g. National Insurance/Social Security Numbers, Military Service Record Number, Passport Number, Bank Account Number, large number of names and addresses, files exceeding specified size limits)
Conduct Regular Vulnerability Assessment scanning and Network, Server, Client and Application penetration testing from outside your network and within it, conducted both with and without valid user credentials.
Ensure ALL hosts are covered by a regular Vulnerability Assessment (VA) Scan
Fix issues identified by VA Scans and penetration tests in a timely manner. A lot of compromises occur through exploiting old, un-patched vulnerabilities.
Implement Security Service Level Agreements with all partners who supply services to your company.
Ensure any applications developed on your behalf follow a proven and documented Secure Software Development Life Cycle (SSDLC).
And lastly, ensure Web Applications are developed in line with OWASP and SANS /CWE Secure coding guidelines.
Lack of resources
It may have been the case that in the cash strapped US Govt. those in the OPM felt that they were unable to access the funding, expertise and technology they required. It is likely that those holding the OPM purse strings today wish that they had invested more, but of course that is too late.
The sorry scenario highlights the need for making a strong business case before a catastrophe. Like most things in the data security, this is a lot easier said than done. It may be useful to take up trial evaluations and proof of concept audits from vendors.
These can examine application and network traffic for signs of compromise. Running in audit mode for typically two weeks will highlight malicious activity present within corporate networks and can help demonstrate the value of investment.
No shortcuts to security and compliance
Security and compliance are often viewed as a burden for companies, and for most; do not get the priority in the business they deserve. However, investment in regular security assessments and independent ethical hacking tests can allow companies to find holes in their security defences (which could have made the company vulnerable to future breaches) prioritise them based on exploitability and impact, and close them before they’re exploited.
Regular security testing is proven to be a key part of a healthy balanced ‘security regime’ that assesses defences from different angles and threat scenarios and is used to proactively manage vulnerabilities out of the system.
Fighting the budget battle
With ever shrinking IT budgets, security and compliance can sometimes take a back seat to projects that deliver business results quickly.
If the budget that has been assigned is simply not sufficient and puts sensitive client information at risk, an IT manager or director has a duty to let stakeholders know that the resources are not sufficient and that the company (or department) is vulnerable to data breaches which could cripple operations and compromise secure information.
Accounting for the human condition in security planning
Having all the correct security solutions and compliance protocols in order can all become redundant if the human component in the equation is not accounted for – demonstrated by the effectiveness of phishing ads and malware that are able to access networks through one wrong click.
Good security procedures and training for employees adds another layer of protection for companies. Some believe that the biggest weakness in their security defence is the people who operate within it. Routine and habit can make procedures pointless, which is why education and training is crucial in bringing employees into the security compliance fold.
It is never good to see an organisation suffer an attack, and of course the OPM breach is concerning as it affects highly sensitive information and there is a human cost to this breach. The IT Security industry has a responsibility to examine such instances and to learn what we can from them.