Massive data breach followed 'long history' of failed IT systems at OPM

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonexaminer.com/massive-data-breach-followed-long-history-of-inadequate-it-systems-at-opm/article/2566338

A government watchdog for the Office of Personnel Management said Tuesday
that OPM has failed for almost a decade to maintain a secure information
technology system, a fact that could explain two massive attacks that
allowed hackers to steal personal information on millions of current and
former federal workers.

Michael Esser, assistant inspector general at OPM, said the Federal
Information Security Management Act, or FISMA, requires all inspectors
general to audit the IT systems of the agencies they monitor. But in
prepared testimony at the House Oversight and Government Affairs Committee,
he said OPM has been found to be lacking in that area since 2007.

"OPM has a history of struggling to comply with FISMA requirements," he
said. "Although some areas have improved, such as the centralization of IT
security responsibility within the OCIO, other problems persist."

The OCIO is OPM's Office of Chief Information Officer. One major problem,
Esser said, is that for several years now, it's been unclear which IT
security responsibilities fall on that central office, and which are left
to individual departments within OPM.

Some IT security responsibilities that were left to individual departments
ended up being implemented by unqualified officials, he added.

"The program office personnel responsible for IT security frequently had no
IT security background and were performing this function in addition to
another full-time role," he said.

"As a result of this decentralized governance structure, many security
controls went unimplemented and/or remained untested, and OPM routinely
failed a variety of FISMA metrics year after year," he said. "Therefore, we
continued to identify this security governance issue as a material weakness
in all subsequent FISMA audits through FY 2013."

Those reports prompted Committee Chairman Jason Chaffetz, R-Utah, to say
OPM's IT system was the same as "leaving all the doors and windows open in
your house" and hoping no one breaks in.

"This has been going on for years, and it is unacceptable," he said. "This
has been going on for a long time."

Esser said problems were first identified in 2007, and that those persisted
through 2013. However, he said OPM made some improvements in 2014,
including creating a team of IT officers that would report to OCIO.

Still, he said other problems remain. For example, the Office of Management
and Budget requires agencies to run "authorizations," which are
comprehensive assessments of IT systems, but Esser said OPM has routinely
failed these tests.

"OPM has a long history of issues related to system authorizations," he
said. "Our FY 2010 FISMA audit report contained a material weakness related
to incomplete, inconsistent, and poor quality authorization packages."

He said there were some improvements in 2012, but said OPM slid back again
in 2014, when 11 of its 21 systems weren't authorized in time. Esser said
the lack of any consequences for failing these authorizations is a major
problem.

"We believe that one of the core causes of these frequent delays in
completing the authorization packages is that there are currently no
consequences for the owners of OPM IT systems that do not have a valid
authorization to operate," he said.

Esser said OPM doesn't have an inventory of all its servers, which makes it
impossible for OPM to defend its network from attacks.

OPM Director Katherine Archuleta testified at the same hearing, which was
held just a few weeks after OPM announced two separate data breaches. One
of these lifted the personnel records of about 4 million current and former
federal workers, and the second took information from background
investigations into federal workers.

Despite what some say is the largest data breach in the history of the
federal government, Archuleta insisted that she is working hard to secure
OPM data, whatever is left of it. She also said OPM is faced will millions
of data attacks each month.

"In an average month, OPM, for example, thwarts 10 million confirmed
intrusion attempts targeting our network," she said. "These attacks will
not stop – if anything, they will increase."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!