The bounty of information snatched in hacks of federal databases at the Veterans Administration (VA), the White House, the State Department, the US Postal Service (USPS), the Government Publishing Office (formerly the Government Printing Office), the Office of Personnel Management (OPM), and others is almost incalculable. Much has been written about the dangers these hacks pose to the country, but few in the private sector realize the dangers these same hacks pose to their companies.
What's at stake is more than protecting your own company, although that is reason enough to take immediate protective action. Since much of the country's infrastructure is in the hands of the private sector, corporate IT is the first line of defense for the country, too.
Hackers are as clever as they are diabolical. They're perfectly capable of devising many ways to use the data stolen from government agencies against countries and companies. Today, we can identify at least three ways this data can be used in attacks against both. Since forewarned is forearmed, it's prudent to take steps to reduce these vulnerabilities immediately.
Threats to Identity and Access Management
At first glance, one might assume that the data stolen in government agency hacks affects only the government -- either its works or its employees. The troubling reality is that much of the data pertains to people who work in the private sector, i.e. those who applied and were never employed by the government, those who once worked for the government, and those employed or previously employed with government contractors.
So where are all those people now?
Perhaps some are now working for your company, or for one of your key suppliers. Trouble is, you don't know who they are. They may pose a new twist on insider threats if they've been comprised by the federal hacks. How can that be?
For one thing, OPM reported on September 23 that 5.6 million fingerprints were stolen in that hack -- about five times as many as originally thought. Now, imagine that your physical and virtual security measures depend in full or in part on biometrics, specifically fingerprints. You don't know whose fingerprint data was comprised. What does that mean to your company's security?
[Will the Nov. 13 attacks on Paris change your views about data protection? Read Paris Terror Attacks Renew Encryption Debate.]
"One of the key challenges with biometric authentication is that it's immutable. You can't change your fingerprints, retinas, or voiceprints. When biometric credentials are compromised, it's very hard to recover," said Tim Erlin, director of IT security and risk strategy at cyberthreat intelligence vendor Tripwire. "Using multifactor authentication can provide mitigation in these cases. The best authentication, as the old adage goes, requires something you are, something you have, and something you know."
But multifactor authentication, as practiced in many companies today, may not work either. The depth and breadth of the data stolen in the government hacks provides complete identity profiles that enable the circumvention of many security measures. These can include passwords, answers to security questions, biometrics ranging from fingerprints to DNA, and facial patterns. This makes it possible for bad actors to defeat even multi-layered security in many different companies across industries.
"Contrary to a popular belief, fingerprints are not unique, and out of 5.6 million fingerprints compromised, there can be quite a few people who have fingerprints similar enough to be accepted by the biometric authentication system," said Igor Baikalov, chief scientist for security-intelligence company Securonix.
"Now, if there is someone with access to top-secret information, and his fingerprint data can be matched to someone else with a known gambling problem -- known from the background checks also leaked by OPM -- the attacker has a way to potentially circumvent biometric authentication. Far-fetched? Probably. But not impossible," he added.
As a result, IT and InfoSec professionals are going to have to come up with additional user authentications to mitigate these risks, and perhaps create a few new ones. Since those authentication measures may also be compromised one day, IT and InfoSec professionals may need to rotate authentication factors regularly, or find other means to offset predictability in factors hackers need to overcome.
Threats in Predictive Analysis
Predictive analytics are becoming more pervasive and easier to use. They are well within the reach of hackers of all stripes, including nation-states and hacktivists. Analytics can be used on the stolen federal data for a wide variety of purposes -- none of which are good.
For example, analytics can be used to predict when key employees are likely to quit or travel, and where they're likely to go. That information can lead to several threats, ranging from kidnappings to recruiting disgruntled employees to help attack the company. It could also lead to more efficient phishing and direct access to data or a facility if a hacker can time the use of an employee's credentials to happen immediately after their departure and before IT gets around to revoking their access.
"The main vulnerabilities are the ways that nearly all organizations allow direct communication to the individuals at the desk: email and Web servers," Clay Calvert, director of cyber-security at government IT contractor MetroStar Systems, told InformationWeek. "We can have some of the most sophisticated firewalls, but like the Maginot Line in France, it is so easy to get past formidable defenses if you can simply walk around them."
Threats to a Company's Work Abroad
However, not all security threats stemming from the federal hacks will hit at home. Many private sector companies operate globally, and doing so requires access to other markets and meetings in other countries. New security threats are rising on those fronts too.
"American businesses who want their employees to obtain visas for business in China may find that, for reasons that are not articulated, certain employees may be denied a Chinese visa," Joe D. Whitley, the first General Counsel of the Department of Homeland Security, former Acting Associate Attorney General for the Department of Justice, and current chairman of Baker Donelson's Government Enforcement and Investigations Group, told InformationWeek.
"United States citizens abroad in China may find that their Chinese counterparts are very literate about their past government affiliations," he added. "We are traveling into some unknown territory with a data breach as massive as the OPM breach, so we will be living with an unfolding challenge to our national security for many years to come."
This means that companies will need to assess threats beyond company databases, and extend defenses to corporate business plans and physical plants. IT may, in some cases, need to look at geolocation tracking and instant help alert technologies for employees as a matter of ensuring their safety.
Unfortunately, all of these threats, and more to come, are amplified by data breaches in the private sector, as well as data leakage from unexpected sources. One example of that is government data leakage through marketing efforts by retailers. But that's another story. Look for Part 3 of this series for details on new security threats rising on that front.
Meanwhile, it's time for IT and InfoSec professionals to get aggressively creative in mitigating these new concerns borne from federal data breaches. Don't worry, it isn't necessary to do this alone.
"We need a nationally focused, collaborative effort," Ken Slaght, retired Rear Admiral and Commander of the Space and Naval Warfare Systems Command, told InformationWeek. Before he retired, Slaght's duties included delivering and maintaining computer and intelligence systems (C4I). Slaght is currently co-chair and president of the nonprofit San Diego Cyber Center of Excellence (CCOE).
"Crowdsourcing can be part of the solution, although classified information will always be an issue," he said. "There are cyber centers all over the nation. We need to create more of these regionally, link them nationally, and collaborate in every direction in order to man an adequate defense for all."
In part one of this three-part series we explored what IT needs to know about government-let cyberwarfare. In the final part of this series, learn how marketing's insatiable drive for data is threatening us all.
**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.