Federal State of Cyber Insecurity: New Day, New Breach?
When the United States government accused China of hacking the Office of Personnel Management and gaining access to the records of 4 million current and former federal employees, it marked only the latest – but perhaps biggest – cybersecurity breach to shake the nation.
"We are unprepared. Until fairly recently, hackers lacked the actual useful information that's out there. Now there are tools to put the stolen data to work," Erik Knight, CEO of SimpleWan, told Enterprise Technology. "There is basically a market for it. Cyberthreats are here to stay. Have a plan in place to thwart hacker attacks, and you should be well on your way to protecting sensitive company and customer data."
However, the time between developing and implementing is when an organization is at its most vulnerable as two recent federal breaches demonstrate.
Over the past year, OPM began "an aggressive effort to update its cybersecurity posture," the organization wrote on its website on Thursday, "adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls."
The organization plans to notify up to 4 million existing and one-time employees and enroll them, at no charge, in credit monitoring and fraud-prevention services for 18 months, OPM wrote.
The Federal Bureau of Investigation (FBI) is looking into the breach, which was discovered in April. The Department of Homeland Security (DHS) determined records had been taken in May, the Wall Street Journal reported. OPM manages background checks, pension plans, and job training for multiple federal agencies, giving it access to a lot of sensitive personal information.
Federal officials blame China for the breach, an offense the Chinese government quickly disavowed. According to the WSJ, Chinese Foreign Ministry Spokesman Hong Lei said: "Cyberattacks are anonymous, cross-border and hard to trace. If you keep using the words 'maybe' or perhaps' without making a thorough study, this is irresponsible and unscientific. We hope the U.S. side will shed its suspicions."
This is not the first time OPM was breached: In July 2014, "senior government officials" cited China for hacking into some OPM databases and networks, the New York Times wrote. Monitoring systems apparently alerted OPM administrators about the intrusion, the article said.
OPM's breach comes less than a month after Russian hackers allegedly broke into the Internal Revenue Service and stole the personal information of more than 100,000 taxpayers via its "Get Transcript" service. (Russia denied the charges.)
Of the 200,000 attempts thieves made to breach the system between February and May, cybercriminals succeeded about half the time – or 100,000 times, Reuters reported. Rather than hacking into the system, thieves used information they'd gathered – from social media or earlier hacks – to access Get Transcript, the IRS said.
"In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," the IRS wrote on its website. "The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer."
Open Season?
In addition to the obvious issues of data loss and invasion of privacy that results from these – and other – breaches, there are long-term, deeper implications, security executives agreed.
"We are fast approaching 'breach fatigue. The difficulty is that defenders can never fail, while an attacker only needs to succeed once," said Jean Taggart, senior security researcher at Malwarebytes Labs, research arm of the anti-malware company, in an email interview. "I worry that the public will start ignoring these breach notices instead of demanding better results of the custodians of valuable information, be it from the private or public sector. These large breaches are a painful reminder that we are failing at security."
In both the IRS and OPM cases, hackers did not over-tax security technologies. Rather, neither organization was current on its security infrastructure, tools, or policies, simplifying the process for cybercriminals. The Treasury Department's inspector general for tax administration, which audits the IRS' security systems annually, told the Senate Finance Committee the IRS had not implemented 44 recommendations, some of which should have made illicit entry more difficult. And a March 2015 report from the Government Accountability Office (GAO) outlined 50 weaknesses in the IRS' security that were unresolved, leaving financial and taxpayer information "unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure," the GAO wrote.
In the case of the IRS, audits located vulnerabilities, shared that information – but little happened, a discovery that may not surprise government cynics but unfairly invalidates public (and perhaps corporate) belief in best-of-breed security technologies and policies.
"It looks like evaluation took place, recommendations were made, and that’s where it stopped," Taggart said. "Big institutions like the IRS move at a ponderous pace. As all of our records become digitized, it’s vitally important to make sure they’re secure. Getting upper management to buy into the process and see it to fruition is key."
Lesson Learned?
With each large new breach, pundits predict more organizations will learn an invaluable lesson. Retailers may have done so; Target certainly lost money and customers in the wake of its breach, but a host of other retail breaches followed. So why do breaches continue?
"It is because we don't take these things seriously. It is up to customers or citizens to hold the organizations responsible. Unfortunately we've always had the 'it won't happen to me attitude.' Anyone who's had their identity stolen knows it is probably one of the worst things in the world that can happen leaving someone completely vulnerable," said Knight. "It's going to take more of these types of breaches to really change the push to make things stronger. The average business is unaware it's being hit with more than 10,000 attempted intrusions a day, and the number of these attacks are growing. When a data breach does occur, it can take months to discover it."
Add special protection for your organization's 'crown jewels'
Organizations can eliminate some risk by moving some data offline and isolating their most valuable information, security experts agreed.
"I would advise them to look at the data they have and identify the crown jewels, then and segregate it. This is data that would be attractive to potential adversaries -- databases of users with personal information, high value intellectual property, critical business information," Taggart said. "Audit access to these types of data and investigate any anomalies. Look into data exfiltration solutions. There is no silver bullet. High visibility breaches serve to remind us that we must be ever vigilant."
Some data should not even connect to the Internet, cautioned Ian Murphy, technical security consultant at IAM Security Information Network.
"Computer security and IT have all been screaming for years, decades, to fix the problems before they became problems, but no one can fix the problems because they all went nuts having to have to connect [everything] — just wrong," he told Enterprise Technology. "They are trying to close the barn door after the herd has gotten out. Good luck on that one."
It'll take more than luck, though. As a nation, the United States must do better to protect itself and its public, private, and non-profit organizations from organized and individual attacks, said Knight.
"Almost every emerging nation is teaching and training IT personnel like the Internet is the future battlefield. The things they are encouraged to do in school we don't even think anyone would do," he said.
