OPM: 'Victim-as-a-Service' Provider

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/opm-victim-as-a-service-provider-p-1883

The U.S. Office of Personnel Management breach continues to reveal such
staggering levels of information security problems, paper-pushing and
seeming incompetence that it's creating a new cyber-espionage category I
call the "victim-as-a-service" provider.

By "victim as a service," I mean an organization has such poor security
controls that little or nothing stands in the way of a would-be hacker. How
else should the information security community view defenses that were so
shoddy that they enabled remote attackers to execute a mass data breach by
apparently using only a username and password?

Numerous government officials and security experts have suggested the hack
was a Chinese espionage operation. But it appears that OPM was easy prey
for any attacker who might want to amass names and personally identifiable
information for 4.2 million current and former federal employees.

For starters, none of the data being stored by the agency was encrypted,
OPM Director Katherine Archuleta told the House Committee on Oversight and
Government Reform committee this week, because the relevant systems were
"too old" (see Lawmakers Lambaste OPM Chief Over Hack). Such protection
could have rendered the data unusable in the event that the agency was
breached.

Espionage Made Easy

The security problems at the agency were - and likely still are -
staggering, including the absence of multi-factor authentication. The lack
of encryption and two-factor authentication also reveals OPM leaders'
collective failure to either ask - or react to - the basic question of what
would happen if online attackers wanted to steal information on millions of
federal workers.

"This is today's espionage made easy because people and organizations fail
to understand nor care about the security measures that they should be
implementing," self-described "cyber nihilist"Scot Terban - a.k.a. Dr.
Krypt3ia - says in a blog post. "This is a constant cry among the infosec
community but hey we never seem to really learn."

Finding a Scapegoat

While long-term fixes will be required to secure OPM, and no doubt scores
of other federal agencies, in the short term - perhaps predictably - some
legislators are calling for Archuleta's resignation. "Since 2007, the OPM
Inspector General has continuously pointed out serious deficiencies in
OPM's cybersecurity posture. OPM's response has been glacial," says Rep.
Jim Langevin, D-R.I., a senior member of the House Committee on Homeland
Security. "I am fully aware that cybersecurity is a problem that cannot be
solved, but merely managed. However, we must not allow leaders in
government or the private sector to use this as an excuse for operating
without a risk-based cyber strategy. I have seen no evidence Ms. Archuleta
understands this central principle of cyber governance, and I am deeply
concerned by her refusal to acknowledge her culpability in the breach."

Then again, might not the same be said of most members of Congress, which
holds the budgetary purse strings?

Whatever her culpability, Archuleta inherited a problem that she - like her
predecessors - has long failed to solve. The OPM's Office of the Inspector
General issued a report in 2012, highlighting numerous weaknesses. Most
damning, however, was OIG noting that it had been warning about "a material
weakness in controls over the development and maintenance of OPM's IT
security policies" since 2007. It repeated that warning in 2008, and added
in 2009 that things were getting worse - affecting the organization's
entire information security governance and management structure - after
which it repeated the same warnings in 2010 and 2011. And in 2012, the OIG
warned that the OPM's CIO office "continued to operate with a decentralized
IT security structure that did not have the authority or resources
available to adequately implement the new policies."

Coming Up Short

If that is the macro view, the micro view is equally disheartening. For
example, the OIG noted that although OPM owned "a software product with the
technical ability to compare and correlate security incidents over time,"
it was only receiving data from 20 percent of OPM's major systems, relied
on inconsistent logging practices, and staff were only monitoring the
security-incident tool during Washington business hours. In response to the
OIG warning that not one of the OPM's 47 major systems required personal
identity verification card authentication, the OPM's CIO office replied
that it had begun requiring PIV for remote authentication, but said nothing
about access from within the OPM network. "The OCIO's response to this
recommendation leads us to believe that it does not fully understand the
requirements of OMB M-11-11 ... [which] requires each major application to
enforce two-factor authentication via PIV credentials," the OIG wrote in
just one of a number of particularly exasperated-sounding exchanges.

A reminder that OPM cannot just wave a "magic wand" to fix its poor
information security culture arrived this week with reports that the
agency's emailed breach notification included a link to a third-party
identity-theft monitoring service provider, and by doing so not only looked
like a phishing attack, but may have violated Department of Defense
guidelines, which prohibit employees from clicking on links to untrusted
sites.

Security Obligations

The 2016 OPM budget request - submitted in February - sought $32 million
more than in 2015. "Most of these funds will be directed toward investments
in IT network infrastructure and security," the budget request said. "As a
proprietor of sensitive data - including personally identifiable
information for 32 million federal employees and retirees - OPM has an
obligation to maintain contemporary and robust cybersecurity controls."

Such obligations are easy to put on paper. But OPM has long been a data
breach victim waiting to happen. And it's not clear how the White House -
and agency officials - will fix that.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!