Charles Leaver – CISO’s Take Note Of The OPM Data Breach Review

Written by Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Cyber attacks, attributed to the Chinese federal government, had breached sensitive workers databases and stolen data of over 22 million existing, former, and potential U.S. civil servants and members of their family. Stern warnings were disregarded from the Office of the Inspector General (OIG) to close down systems without current security authorization.

Presciently, the OIG particularly cautioned that failure to close down the unauthorized systems carried national security implications. Like the Titanic’s doomed captain who preserved flank speed through an iceberg field, the OPM reacted,

” We concur that it is important to maintain updated and valid ATO’s for all systems however do not believe that this condition rises to the level of a Material Weakness.”

In addition the OPM stressed that closing down those systems would imply a lapse in retirement and worker benefits and incomes. Given a choice in between a security lapse and an operational lapse, the OPM opted to operate insecurely and were pwned.

Then director, Katherine Archuleta, resigned her office in July 2015, a day after exposing that the scope of the breach significantly exceeded initial damage assessments.

Regardless of this high value info maintained by OPM, the agency failed to prioritize cybersecurity and properly safe and secure high value data.

Exactly what are the Lessons for CISO’s?

Reasonable CISO’s will want to avoid career immolation in a massive flaming data breach disaster, so let’s quickly evaluate the essential lessons from the Congressional report executive summary.

Prioritize Cyber Security Commensurate with Asset Worth

Have an effective organizational management structure to carry out risk-appropriate IT security policies. Chronic absence of compliance with security best practices and lagging suggestion implementation timelines are indications of organizational failure and bureaucratic atherosclerosis. Shake up the business or make preparations for your post-breach panel appearance prior to the inquisitors.

Don’t Endure a Complacent State of Info Security

Have the essential tracking in place to keep critical situational awareness, leave no visibility gaps. Do not fail to understand the scope or extent or gravity of attack indicators. Presume if you recognize attack signs, there are other indicators you are missing. While OPM was forensically monitoring one attack channel, another parallel attack went unseen. When OPM did do something about it the cyber attackers knew which attack had been spotted and which attack was still effective, quite valuable intelligence to the attacker.

Mandate Basic Needed Security Tools and Quickly Deploy State Of The Art Security Tools

OPM was incredibly negligent in executing mandated multi-factor authentication for privileged accounts and didn’t deploy readily available security technology that could have prevented or reduced exfiltration of their most important security background examination files.

For restricted data or control access authentication, the expression “password safeguarded” has actually been an oxymoron for many years – passwords are not security, they are an invitation to jeopardize. In addition to sufficient authentication strength, complete network monitoring and visibility is needed for avoidance of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and insufficient system traffic visibility for the hackers’ relentless existence in OPM networks.

Don’t Fail to Intensify the Alarm When Your Critically Delicate Data Is Being Attacked

In the OPM breach, observed attack activity “ought to have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was looking to access OPM’s highest value data.” Instead, absolutely nothing of consequence was done “until after the agency was significantly compromised, and up until after the agency’s most sensitive info was lost to nefarious actors.” As a CISO, activate that alarm in good time (or practice your panel appearance face).

Finally, don’t let this be said of your enterprise security posture:

The Committee received documents and testaments proving OPM’s information security posture was undermined by an incredibly unsecured IT environment, internal politics and bureaucracy, and inappropriate top priorities related to the deployment of security tools that slowed essential security choices.

Leave a Reply

Your email address will not be published. Required fields are marked *