You've no doubt heard about the recent data breach affecting the U.S. Office of Personnel Management. Dating back...
to events started in 2014, potentially earlier, the Chinese government presumably obtained personal information on nearly 20 million federal workers who applied for security clearances and almost two million others, namely spouses and family members of the applicants.
Brushing aside the laughable "solution" to issues like the Office of Personnel Management (OPM) data breach -- free credit monitoring, for example -- the theft of highly sensitive personal records not only affects individuals' security, but also U.S. security. This data breach will have untold effects for decades to come.
Many analysts, vendors and industry pundits were shocked at the lack of security in such a critical environment at OPM; and the suspected third-party background check vendor(s) that were supposedly breached as well as part of this incident. Years-old audit reports show security mismanagement at the highest levels. Apparently, OPM had no multifactor authentication for critical applications. The agency also had a lack of patches, weak passwords and little to no insight into what was happening on its network. I'm not shocked. I have minimal faith in government bureaucracies, especially when they're run by people with no knowledge or experience in the things they're responsible for.
In OPM's defense and in the defense of its former director Katherine Archuleta, I see these problems in network environments everywhere. Regardless of business size, type or industry, people ignoring basic information security principles occurs across the board. Yet, we wonder why we keep getting hit.
Forget about what happened and whose heads should roll after security breaches. It's time to talk about the elephant in the room: people not fixing what they know must be fixed. Want to prevent an OPM-like cyber breach in your Windows environment? Doing so revolves around three core steps:
- Knowing what you've got (i.e. servers, applications, information and so on);
- Understanding how it's at risk (i.e. the specific threats and vulnerabilities impacting these systems and information in your unique environment); and
- Doing something about it (i.e. communicating the problems to management in their own words, looking past all the paper policies and putting in some substantive technologies, tweaking the necessary business processes, holding third-party vendors more accountable and so on).
Managing information risks can be complex, but it also boils down to these three areas. The real challenge lies in you bringing it all together.
For starters, look at what's happening with the well-publicized breaches. Acknowledge that you may have some of the same weaknesses. You'll need to confirm this through a detailed security assessment -- not just a checklist compliance audit, penetration test or vulnerability scan. If you dig in deeply, you'll see what needs to be resolved. The good news is that 90% of the issues will not only be predictable, they'll also be relatively simple to resolve.
In April 2015, the OPM discovered that personnel data of 4.2 million current and former federal government employees had been stolen. The agency spotted the data breach when it upgraded its security detection and monitoring tools. Background investigation records of current, former and prospective federal employees and contractors were also compromised. In late June, U.S. Intelligence Chief James Clapper confirmed that Chinese hackers were the prime suspects behind the cyber breach.
For example, fix your domain password policy. Make it reasonable, yet effective. Incorporate that same policy into all of your systems and applications. Leave no stone unturned.
Then move on to identity management -- user account provisioning, deprovisioning, and reprovisioning. Then fix your patch management gaps, especially for third-party software that's creating most of the risks.
Fix malware protection -- move beyond the mainstream looking at advanced malware, using "positive security" whitelisting -- along with the human weaknesses that are facilitating this challenge on your network.
Then, and perhaps finally, fix your monitoring and alerting weaknesses. Stop trying to do what OPM apparently thought it could do, which was manage your threat intelligence and response program. The skills and tools required to do this effectively are rare and need to be left up to pros such as third-party vendors.
In the end, you have to consider whether you want history to repeat itself on your network. Don't be like OPM and so many other organizations that have continually ignored what's known to work -- the basics. If you focus your efforts and never let up, the odds are in your favor. If you let things go and ignore what's out there, it's merely a matter of time before that monster rears its ugly head.
About the author:
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC.
Diagnose and troubleshoot Windows Server with Windows Sysinternals
Strengthen Active Directory password policy settings
Windows Server monitoring tools for every budget
OPM breach victims receive identity theft and credit protection services