CISO’s Need To Pay Close Attention To The OPM Breach Review – Charles Leaver

By | November 7, 2016

Written by Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


Cyber attacks, attributed to the Chinese government, had breached delicate workers databases and taken data of over 22 million existing, former, and potential U.S. civil servants and family members. Stern cautions were neglected from the Office of the Inspector General (OIG) to close down systems without current security authorization.

Presciently, the OIG specifically cautioned that failure to close down the unauthorized systems carried nationwide security implications. Like the Titanic’s doomed captain who preserved flank speed through an iceberg field, the OPM reacted,

” We concur that it is essential to keep updated and valid ATO’s for all systems but do not think that this condition rises to the level of a Material Weak point.”

In addition the OPM worried that closing down those systems would mean a lapse in retirement and worker benefits and paychecks. Provided an option in between a security lapse and an operational lapse, the OPM decided to operate insecurely and were pwned.

Then director, Katherine Archuleta, resigned her office in July 2015, a day after exposing that the scope of the breach significantly exceeded initial damage assessments.

Despite this high value info preserved by OPM, the agency cannot prioritize cyber security and sufficiently safe and secure high value data.

Exactly what Can CISO’s learn from this?

Rational CISO’s will wish to prevent career immolation in a huge flaming data breach catastrophe, so let’s quickly review the essential lessons from the Congressional report executive summary.

Focus on Cybersecurity Commensurate with Asset Value

Have an efficient organizational management structure to execute risk-appropriate IT security policies. Persistent lack of compliance with security best practices and lagging recommendation execution timelines are signs of organizational failure and administrative atherosclerosis. Shake up the organization or prepare your post-breach panel grilling prior to the inquisitors.

Don’t Endure a Complacent State of Information Security

Have the essential monitoring in place to maintain crucial situational awareness, leave no observation gaps. Don’t fail to comprehend the scope or extent or gravity of attack indications. Assume if you recognize attack indicators, there are other indications you are missing out on. While OPM was forensically observing one attack avenue, another parallel attack went unobserved. When OPM did do something about it the cyber attackers understood which attack had been identified and which attack was still effective, rather important intelligence to the opponent.

Enforce Basic Required Security Tools and Quickly Deploy State Of The Art Security Tools

OPM was woefully irresponsible in implementing mandated multi-factor authentication for privileged accounts and didn’t deploy available security technology that might have avoided or reduced exfiltration of their most important security background investigation files.

For privileged data or control access authentication, the phrase “password protected” has been an oxymoron for many years – passwords are not protection, they are an invite to compromise. In addition to sufficient authentication strength, complete network monitoring and visibility is required for prevention of delicate data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and insufficient system traffic visibility for the hackers’ persistent existence in OPM networks.

Don’t Fail to Intensify the Alarm When Your Critically Sensitive Data Is Being Attacked

In the OPM breach, observed attack activity “ought to have sounded a high level multi agency national security alarm that a sophisticated, relentless actor was seeking to access OPM’s highest-value data.” Instead, absolutely nothing of consequence was done “until after the agency was severely compromised, and till after the agency’s most delicate information was lost to dubious actors.” As a CISO, activate that alarm in good time (or rehearse your panel look face).

Finally, do not let this be said of your business security posture:

The Committee acquired documents and testaments showing OPM’s information security posture was weakened by a woefully unsecure IT environment, internal politics and bureaucracy, and misplaced top priorities related to the deployment of security tools that slowed essential security decisions.

Leave a Reply

Your email address will not be published. Required fields are marked *