Recent intrusions into the U.S. Office of Personnel Management (OPM) systems has the public questioning the integrity of sensitive U.S. Information Technology assets. Hackers, potentially from the Chinese government, have been accessing the OPM’s database that houses personnel security clearance information for about a year. This has given them ample time to steal information on military and intelligence officials. Members from the Associated Press was told that they specifically acquired SF86 forms, which makes it “security-wise” potentially the “worst breach of personally identifying information ever,” according to Michael Borohovski, SEO of Tinfoil Security.
We are breached, where do we go from here?
After a full analysis of the OPMs network, many vulnerabilities were found. Here is the full report on the full measures that the OPM is planning on taking to ensure that this does not happen again.
Nextgov’s summary of Archuleta’s (OPMs Director) plan to stop future cyber theft
1. Finish activating two-step ID checks — All users will be required to login with a password and a smartcard by Aug. 1 (The OPM attackers busted through the agency’s network using password data stolen from a contractor, according to officials.)
2. Expanding continuous monitoring— There is a governmentwide mandate to deploy a regime of sensors, security analysts and other technology that can monitor network controls in near-real-time. OPM does not have a robust continuous monitoring operation, according to the agency’s inspector general. OPM intends to speed rollout and order contractors to do the same, where feasible.
3. Ensuring permission to probe contractor systems— OPM will write language into prospective contracts spelling out that the agency is allowed access to a contractor’s systems in the event of a cyber incident. (OPM claims background check provider USIS obstructed a federal inspection of the company’s networks after a data breach was detected last year.)
4. Reviewing encryption of databases— Wherever possible, the agency will render database records indecipherable to intruders. A review to determine which currently unencrypted databases can be converted will be completed by July 15. (Encryption would not have foiled the hackers, in this case, because they used the contractor’s authorized credential to unlock the data copied.)
Tapping Outside Expertise
5. Hiring a cybersecurity adviser— A private sector cyber expert will join the agency by Aug. 1.
6. Consulting private sector technology and cyber experts—Archuleta is inviting industry chief information security officers who “experience their own significant cybersecurity challenges” to a workshop in the coming weeks to discuss future steps.
7. Seeking more counsel from the inspector general— Archuleta will meet with the inspector bi-weekly to obtain advice. (The two officials have been at odds over whether OPM’s systems comply with government security statutes.)
8. Transitioning to a new IT setup — OPM is overhauling the agency’s IT environment to make it easier to apply the latest security controls. Once a new operating infrastructure has been developed, existing IT systems will be transitioned. Some OPM technology dates back to the 1980s and runs off esoteric programming language.
9. Finalizing the budget and scope of the overhaul by the end of the fiscal year.
10. Evaluating all contracting options— Going forward, “OPM will conduct a thorough analysis on the most reasonable and appropriate course of action, and explore all available contracting avenues to determine the best option for the health of its modernization project and for the taxpayer.” (A contractor hired, without an open competition, to help secure OPM’s systems was accused by a government watchdog this year of possibly misusing $135 million of taxpayer money after videos appeared to show its employees high on drugs and alcohol while working on a U.S. Army contract in Afghanistan, according to The Washington Post.)
11. Requesting additional congressional funding— OPM will provide lawmakers with a list of IT enhancements that require more appropriations.
12. Assessing IT project performance— Every month, Archuleta will meet with Seymour and the new cyber adviser to review IT efforts “to ensure continued progress and accountability.”
13. Holding regular cyber awareness education sessions— All employees and contractors handling sensitive information will undergo a refresher on cyber hygiene on a bi-annual basis.
14. Establishing protocols on incident response— OPM will document standard operating procedures for partnering with other agencies in the event of a future incident.
15. Complying with federal computer security laws— OPM will hold system owners responsible for following the Federal Information Security Management Act. (The agency has had a history of struggling to comply with FISMA and has been running systems not authorized to operate, according to the IG.)
The Bejtlich Detect and Respond Approach
Phase 1: Compromise Assessment: Dispatch teams across government networks to hunt for intruders and, if possible, remove them. “I suspect the ‘remove’ part will be more than these teams can handle, given the scope of what I expect they will find,” Bejtlich writes in a blog post.
Phase 2: Improve Network Visibility:
1. Fast-track the activation of EINSTEIN 3A, the latest version of a governmentwide intrusion detection and prevention system.Agencies are required to convert next year, according to the White House. “Waiting until the end of 2016 is not acceptable,” Bejtlich says. “Equivalent technology should have been deployed in the late 1990s.”
2. Ensure the Department of Homeland Security has authority to centrally monitor all EINSTEIN sensors deployed governmentwide.Agencies should be given access to their own data, and there should be a dialogue among agencies and Homeland Security on who should be responsible for acting on EINSTEIN’s findings.
3. Hire enough DHS staff to analyze and act on EINSTEIN discoveries.
4. Make hunting and squashing malicious operations a coordinated, routine practice.
5. Collect metrics on the effectiveness of defensive operations and tailor future countermeasures based on lessons learned.
Phase 3. Deploy continuous monitoring and reduce the number of access points to the public Internet