Charles Leaver – After OPM Breach Review The Message Is Clear For CISO’s

Written by Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


Cyber attacks, credited to the Chinese federal government, had actually breached delicate workers databases and stolen data of over twenty two million current, previous, and potential U.S. government employees and members of their family. Stern cautions were disregarded from the Office of the Inspector General (OIG) to close down systems without present security authorization.

Presciently, the OIG particularly cautioned that failure to close down the unauthorized systems carried nationwide security ramifications. Like the captain of the Titanic who maintained flank speed through an iceberg field, the OPM reacted,

” We concur that it is very important to preserve updated and valid ATO’s for all systems but do not believe that this condition rises to the level of a Material Weakness.”

In addition the OPM worried that shutting down those systems would indicate a lapse in retirement and employee benefits and paychecks. Given an option in between a security lapse and a functional lapse, the OPM opted to operate insecurely and were pwned.

Then director, Katherine Archuleta, resigned her position in July 2015, a day after exposing that the scope of the breach significantly surpassed original assessments.

Regardless of this high worth info maintained by OPM, the agency cannot prioritize cyber security and sufficiently safe and secure high value data.

Exactly what are the Lessons for CISO’s?

Logical CISO’s will want to avoid professional immolation in a massive flaming data breach catastrophe, so let’s rapidly evaluate the key lessons from the Congressional report executive summary.

Focus on Cybersecurity Commensurate with Asset Value

Have an effective organizational management structure to implement risk appropriate IT security policies. Chronic lack of compliance with security best practices and lagging suggestion application timelines are indicators of organizational failure and bureaucratic atherosclerosis. Shock the organization or make preparations for your post-breach panel grilling prior to the inquisitors.

Don’t Tolerate a Complacent State of Information Security

Have the essential tracking in place to maintain critical situational awareness, leave no observation gaps. Do not fail to understand the scope or degree or gravity of cyber attack indicators. Presume if you determine attack indicators, there are other indications you are missing out on. While OPM was forensically monitoring one attack channel, another parallel attack went unobserved. When OPM did take action the attackers understood which attack had actually been detected and which attack was still effective, quite important intelligence to the attacker.

Enforce Basic Needed Security Tools and Quickly Deploy Cutting Edge Security Tools

OPM was woefully irresponsible in executing mandated multi-factor authentication for privileged accounts and failed to deploy available security technology that might have prevented or alleviated exfiltration of their most valuable security background investigation files.

For privileged data or control access authentication, the expression “password protected” has been an oxymoron for years – passwords are not protection, they are an invitation to jeopardize. In addition to appropriate authentication strength, total network monitoring and visibility is needed for prevention of sensitive data exfiltration. The Congressional investigation blamed careless cyber hygiene and inadequate system traffic visibility for the attackers’ consistent presence in OPM networks.

Don’t Fail to Escalate the Alarm When Your Critically Delicate Data Is Under Attack

In the OPM breach, observed attack activity “should have sounded a high level multi-agency national security alarm that a sophisticated, consistent actor was looking to access OPM’s highest value data.” Rather, nothing of consequence was done “till after the agency was severely compromised, and up until after the agency’s most delicate info was lost to dubious actors.” As a CISO, sound that alarm in good time (or rehearse your panel look face).

Finally, don’t let this be said of your business security posture:

The Committee acquired documentation and testaments proving OPM’s info security posture was weakened by a woefully unsecured IT environment, internal politics and bureaucracy, and inappropriate priorities related to the implementation of security tools that slowed crucial security decisions.