Warning came too late for millions of hacked workers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thenewstribune.com/2015/06/10/3832125_warning-came-too-late-for-millions.html?rh=1

It’s disturbing enough to discover that hackers were able to steal millions
of federal employees’ personnel files, including such information as Social
Security numbers.

But what’s at least as troubling is learning that the government’s
technological infrastructure is as badly out of date as the nation’s
physical infrastructure and so ill-equipped to withstand an attack by a
foreign government.

The New York Times reports that the inspector general of the federal Office
of Personnel Management – which keeps records and security clearance
information for current and retired employees – warned in November that the
agency’s computer system was vulnerable to hacking. In fact, hackers by
then had already made one data raid and soon would make a bigger, much more
fruitful attack, gaining personal information on at least four million
employees. The scale of the breach was “staggering,” says a congressman on
the House Intelligence Committee.

Some of the information could allow the hackers – at this point believed to
be private contractors working on behalf of the Chinese government – to
access emails of employees directly involved with security clearance. Among
other things, that would allow China to identify an employee’s foreign
contacts or learn compromising information about employees who could be
recruited as spies.

It could also give foreign agents clues that could be useful for accessing
more secure accounts and gaining access to classified information. Trying
to hack into someone’s account becomes much easier if you have a birth
date, children’s names, city of birth, schools attended, and other
information commonly used in passwords and security questions.

To adopt basic authentication protocols common in the private sector would
have required computer upgrades in what one agency official described as an
“antiquated environment.” That process was so difficult and time-consuming
that only the most urgent vulnerabilities could be addressed. In fact, the
data breach was discovered when security upgrades were being installed.

Cybersecurity must be a higher priority for government. It’s moving up
installation of a new defense system, dubbed “Einstein,” from 2018 to 2016.
But no one was willing to say whether that would have prevented this recent
breach.

The OPM data breach is not unusual; similar attacks by industrial spies
have targeted corporations, and criminals have hacked into companies like
Target to steal customer information.

On Monday, President Obama said to expect more such attacks on government
and civilian databases because both criminals and foreign governments are
“sending everything they’ve got trying to breach those systems,” which he
described as “very old.”

Clearly what’s needed is updated equipment and technical expertise that
affords better protection against foreign hack attacks. But Americans must
recognize that 100 percent cybersecurity probably isn't a realistic
expectation, either for governments or for individuals.

Everything we do to make it easier for us to access our online accounts –
using the same, easy-to-remember passwords, for instance – also makes it
easier for hackers. The best we can probably hope for is to try to stay one
step ahead of people whose entire focus is on getting at our information
and take steps to minimize the effects of the almost inevitable breaches.


Read more here:
http://www.thenewstribune.com/2015/06/10/3832125_warning-came-too-late-for-millions.html?rh=1#storylink=cpy

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!