BreachExchange mailing list archives
Massive data breach followed 'long history' of failed IT systems at OPM
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 16 Jun 2015 19:20:55 -0600
http://www.washingtonexaminer.com/massive-data-breach-followed-long-history-of-inadequate-it-systems-at-opm/article/2566338 A government watchdog for the Office of Personnel Management said Tuesday that OPM has failed for almost a decade to maintain a secure information technology system, a fact that could explain two massive attacks that allowed hackers to steal personal information on millions of current and former federal workers. Michael Esser, assistant inspector general at OPM, said the Federal Information Security Management Act, or FISMA, requires all inspectors general to audit the IT systems of the agencies they monitor. But in prepared testimony at the House Oversight and Government Affairs Committee, he said OPM has been found to be lacking in that area since 2007. "OPM has a history of struggling to comply with FISMA requirements," he said. "Although some areas have improved, such as the centralization of IT security responsibility within the OCIO, other problems persist." The OCIO is OPM's Office of Chief Information Officer. One major problem, Esser said, is that for several years now, it's been unclear which IT security responsibilities fall on that central office, and which are left to individual departments within OPM. Some IT security responsibilities that were left to individual departments ended up being implemented by unqualified officials, he added. "The program office personnel responsible for IT security frequently had no IT security background and were performing this function in addition to another full-time role," he said. "As a result of this decentralized governance structure, many security controls went unimplemented and/or remained untested, and OPM routinely failed a variety of FISMA metrics year after year," he said. "Therefore, we continued to identify this security governance issue as a material weakness in all subsequent FISMA audits through FY 2013." Those reports prompted Committee Chairman Jason Chaffetz, R-Utah, to say OPM's IT system was the same as "leaving all the doors and windows open in your house" and hoping no one breaks in. "This has been going on for years, and it is unacceptable," he said. "This has been going on for a long time." Esser said problems were first identified in 2007, and that those persisted through 2013. However, he said OPM made some improvements in 2014, including creating a team of IT officers that would report to OCIO. Still, he said other problems remain. For example, the Office of Management and Budget requires agencies to run "authorizations," which are comprehensive assessments of IT systems, but Esser said OPM has routinely failed these tests. "OPM has a long history of issues related to system authorizations," he said. "Our FY 2010 FISMA audit report contained a material weakness related to incomplete, inconsistent, and poor quality authorization packages." He said there were some improvements in 2012, but said OPM slid back again in 2014, when 11 of its 21 systems weren't authorized in time. Esser said the lack of any consequences for failing these authorizations is a major problem. "We believe that one of the core causes of these frequent delays in completing the authorization packages is that there are currently no consequences for the owners of OPM IT systems that do not have a valid authorization to operate," he said. Esser said OPM doesn't have an inventory of all its servers, which makes it impossible for OPM to defend its network from attacks. OPM Director Katherine Archuleta testified at the same hearing, which was held just a few weeks after OPM announced two separate data breaches. One of these lifted the personnel records of about 4 million current and former federal workers, and the second took information from background investigations into federal workers. Despite what some say is the largest data breach in the history of the federal government, Archuleta insisted that she is working hard to secure OPM data, whatever is left of it. She also said OPM is faced will millions of data attacks each month. "In an average month, OPM, for example, thwarts 10 million confirmed intrusion attempts targeting our network," she said. "These attacks will not stop – if anything, they will increase."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Massive data breach followed 'long history' of failed IT systems at OPM Audrey McNeil (Jun 22)