What CISOs can learn from the U.S. on handling a breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itworldcanada.com/blog/what-cisos-can-learn-from-the-u-s-on-handling-a-breach/375430

Canada is different from the U.S. in a lot of ways. One of them is that our
parliamentary committees, under the control of the government, don’t have
anywhere near the power of the independent Congressional committees south
of the border.

So private companies here have little chance of being forced to testify and
be raked over the coals for security breaches, the way executives from
Target were last year before Congress, and the way Katherine Archuleta,
director of the U.S. Office of Personnel Management (OPM) was yesterday
when she appeared before the House House Committee on Oversight and
Government Reform.

Too bad. A dose of public whipping might spur some CEOs and boards to put
security higher on their priority lists. Archuleta insisted it was when 18
months ago she took over the department, which manages the personnel files
of most federal civil servants, and learned of the vulnerabilities in its
“aging legacy systems.” “I made the modernization and security of our
networks one of our top priorities,” she said. But the OPM has acknowledged
discovering two breaches, one of which exposed 4.2 million public records,
while the damage by the other hasn’t been calculated yet.

As others have pointed out, these records not only include the usual
personal information like dates of birth and social insurance numbers, but
may also include sensitive health information.

Committee members weren’t impressed. Even before Archuleta was sworn in
committee chair Jason Chaffetz of Utah hauled out several years of security
reports from the inspector-general of audits, who regularly pointed out
OPM’s security failings. Therefore the breach, Chaffetz said, was
“inexcusable,” and OPM was “grossly negligent” for what he said may “the
most devastating cyber attack in our nation’s history.”

Then he lit into Archuleta. Why wasn’t the data encrypted? Encryption is a
valuable tool and is an industry best practice, she began, and OPM’s
cybersecurity framework promotes it. She appeared to start to say that some
of her systems are encrypted, when Chaffetz cut her off for reading from a
statement. Why didn’t you use it?, he repeated.

“An adversary possessing proper (access) credentials can often dectrypt
data,” she replied. “It is not feasible to implement on networks that are
too old. The limitations on encryption’s effectiveness  is why OPM is
taking other steps, such as limiting administrators’ accounts and requiring
multi-factor authentication.”

“OK,” Chaffetz replied, “but it didn’t work, so you failed utterly and
totally.” As I said, a public whipping.

One committee member tried to ease the pain by getting one of the
government witnesses appearing with Archuleta to acknowledge that there is
no silver bullet — no one technology that when applied makes an IT system
safe. Fair enough. But Archuleta was made to look helpless.

Chaffetz suggested her only choice was accepting the inspector-general’s
recommendation that systems be shut down until they were repaired or
replaced — which Archuleta implied was impractical for a government
department — or leave the door unlocked. OPM hasn’t said publicly yet how
the breaches occurred. But Seymour said after the breach was discovered the
department has toughened things up, such as mandating two-factor
authentication for users remotely accessing systems, installing additional
firewalls, reducing number of privledged users and reducing their ability
to do certain things. OPM is also installing a new network architecture.

Committee members weren’t the only ones unimpressed with the testimony.
Forrester Research security analyst John Kindervag told me this morning
that legacy systems can definitely be encrypted (or, as he put it, “you can
encrypt anything”). And, he added, as long as key management is kept
separate from the data it’s the best protection around. Even if an attacker
got a user’s credentials, revoking all keys after the breach is discovered
makes the data useless, he said.

“Encryption is the only thing that might help this. We can’t keep layering
crap on the network and hope it’s somehow going to stop this. Encryption is
definitely the right answer, and just because the OPM can’t figure out how
to do it doesn’t mean it’s not a valid answer.”

Here’s the dilemma for CISOs: If for the time breaches being can’t be
prevented, is it inevitable your organization looks as if it was
defenceless when one happens? One problem, of course, is that the public,
customers or shareholders aren’t owed an explanation that includes
information attackers could find useful. But they should be told everything
short of being heroic was done on IT systems.

Private companies can stonewall reporters and shareholders, whose first
question will be “Was the data encrypted?” followed by “Was there an
intrusion detection system?” and “Was there a system on the network
watching data flowing out of the company, and if so why didn’t it detect
something suspicious?”

One lesson, of course, is that after a breach any organization will look
bad. It will look worse depending on the answers to pointed questions. At
the very least this latest breach shows CISOs that incident response ought
to include an explanation that best practices had been followed while
systems were being shored up. Archuleta couldn’t say that.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!