OPM Breach Offers Tough Lessons For CIOs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software
Commentary
6/17/2015
11:06 AM
Larry Loeb
Larry Loeb
Commentary
100%
0%

OPM Breach Offers Tough Lessons For CIOs

While your enterprise may have a chief information security officer and a robust data governance department, CIOs and IT organizations are the ones on the front lines of protecting enterprise data. What lessons can we draw from the OPM breach?

Windows 10 vs. Mac OS X 10.11: OS Showdown
Windows 10 vs. Mac OS X 10.11: OS Showdown
(Click image for larger view and slideshow.)

The recent breach at the US Office of Personnel Management (OPM) exposed data on 35 million government employees. According to a Reuters report, more than 35 years of data were compromised. This comes on the heels of a previous breach at OPM in 2014 that was targeted to unearth those applying for security clearance.

The FBI points the finger at China in these episodes, but China is not by any means the only threat. The US has recently charged a Russian national in the theft of 160 million credit card details, as well as Russia itself in a cyber-attack on a non-classified White House system. Government agencies are not the only targets. Sony allegedly got hammered by North Korea in The Interview dust-up, and ended up changing how it does business because of it. Health insurance provider Anthem had 80 million records compromised.

While your enterprise may have a chief information security officer and a robust data governance department, CIOs and IT organizations are the ones on the front lines of protecting enterprise data. What lessons can we draw from the OPM breach?

(Image: tigerlily via Pixabay)

(Image: tigerlily via Pixabay)

The most obvious lesson is that legacy systems are vulnerable. Legacy infrastructure is open to attack techniques and tools that may not have even existed two years ago. In general, legacy systems are very tempting to hackers because they are static in their form (and therefore easier to breach), and will usually have important information stored somewhere inside them.

Since it is highly unlikely that a "burn it down and start again" system upgrade is a viable option, IT is left with the task of trying to improve how it uses what is already there.

Networks are the first place to start. Most users don't care how networks are configured as long as they work. But hackers will care. Networks are the means for them to break into your house. If you have a data superhighway leading into your datacenter, consider putting up the tollbooths of network segmentation. Segmentation techniques can alert you if data starts being massively diverted to one specific area where it shouldn't be going.

[Ready for Hotspot 2.0? Read The Future of WiFi.]

The second tollbooth should be multi-factor authentication of data requests. More than using a username/password combination to authenticate, this approach requires the user to provide additional information in response to a challenge. Had this been in place at OPM, the hackers would have gone away empty handed.

The analytics used to measure normal operation in a legacy system must be constantly evaluated and improved. As an example, OPM had a multi-billion dollar intrusion detection system in place (called, ironically, Einstein) during the breaches. It failed miserably. It failed because it relied on people to tell it what to look for. Since the breach was caused by a previously unknown technique (also called a "zero day exploit"), it was not being tracked by the IDS. The lesson OPM offers for IT here is that blind reliance on any analytic tool will not guarantee your data is safe from attack.

To avoid losing precious information, enterprises must be flexible enough to rethink how they do business, how they store and use data. CTOs and CIOs are the leaders in this effort. But there is no technological magic bullet to be found. What has worked for you before will not stand up to sophisticated future attacks. Just ask Anthem.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/24/2015 | 10:38:05 AM
Re: The hackers
Well, besides the obvious IP tracking used (and correlating it to other previous attacks) there seems to have been certain code fragments and techniques that were used before.

There may be other factors here nobody is talking about (NSA powning Chinese assets?) but considering boththe target and the techniques used, there is a decent chain to link this to nation-states.
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/18/2015 | 3:39:23 PM
Re: Commercial encryption products that existed in year 2000 could have prevented the breach
Well, the way I heard this one was that OPM was a COBOL shop using 20 year old programs. I cant recall any COBOL crypto libraries, although an OS wrapper may have been useful.

 

Remember, the is the US Government we are talking aobut. If there is no funding for a progaram, it doesnt happen. Congress has to tell these guys to implement.

And I dont think OPM even had a CIO untll 2013.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Commentary
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll