This week in Washington, there have been a lot of calls for the resignation of Katherine Archuleta, the Director of the Office of Personnel Management (OPM). She was at the helm when the breach of millions of government personnel records occurred, so some say that ultimately she should be responsible. President Obama has the final say as to whether she keeps her job, and so far he has stood by his appointee. Before any decisions are made about her fate, we should consider all aspects of the breach.
Most breaches in the private sector are discovered by a third party, usually by credit card companies investigating fraud or by law enforcement investigating other crimes. Breaches are seldom discovered by the organization that was actually attacked. This was not the case at the OPM. The OPM’s own press release states that the breach was discovered during “an aggressive effort to update its cybersecurity posture” and that this formidable effort was ongoing for over a year.
Director Archuleta inherited an obviously antiquated system that had been cobbled together over decades. She was trying to rectify problems as quickly as time and budget would allow. It was not her fault that the systems under her control did not have lasting security protocols in place; Director Archuleta had to accept what her predecessors left her. However, unlike her predecessors, she did not maintain the status quo. Archuleta was attempting to upgrade and modernize the security systems. As a result of those aggressive efforts, the breach was discovered. It’s very possible that the breach would have gone completely unnoticed for much longer if it weren’t for the actions of Director Archuleta.
If Director Archuleta does lose her position as OPM director, it will send the wrong message to directors of other agencies: Don’t go looking for things in your network, because if you find bad things you might lose your job. Instead of simply pointing a finger at a scapegoat, let’s examine what the underlying causes of the breach were and what lessons can be learned from them.
The first principle of a resilient security program is to discover all your assets as a baseline and as an inventory against which to track activity
First, know what’s on your network. Some reports indicate that OPM did not have a full accounting of hardware and software attached to their networks. The first principle of a resilient security program is to discover all your assets as a baseline and as an inventory against which to track activity. The key here is to discover those network assets right now, not to rely on purchase requisitions or outdated network diagrams. Know for a fact what is currently connected to your network and the software installed on those systems. This includes mobile devices, virtual machines and cloud applications. This gives you a baseline for your scope and attack surface; you can’t defend what you don’t understand.
Implement continuous patching and vulnerability scanning, not just periodic checks
Once you know what’s on your network, you can start securing it. Implement continuous patching and vulnerability scanning, not just periodic checks. Do not rely on quarterly or monthly audits, which can result in blind spots between audits. Know what is on your network now, what vulnerabilities are present now, not last week.
Make sure you have the right technologies in place for your environment
Next, make sure you have the right technologies in place for your environment. Vulnerability management, application whitelisting, intrusion detection, proper network segmentation, encryption, data separation and more: all things that should be taken into consideration depending on your environment. Look at both your networks and your data; you need to protect both. Unfortunately, OPM did not encrypt its data, which contributed to the loss of personal information.
Users should only have access to what they need to do their jobs
Keep a close eye on which users have access to critical resources. There are reports that some OPM system administrators used ‘root’ access on a regular basis. Users should only have access to what they need to do their jobs. Keep tight control over root and admin access. Enforce strong passwords. Remove default accounts. Quickly revoke access when employees leave or change jobs. The OPM has already committed to implementing 2-factor authentication for all employees by August 1st.
Watch your network traffic in real time for anomalies
Once you have inventoried your hardware and software, stabilized your patch management, implemented secure technologies and gotten a grasp on user access, you can start looking for bad guys inside your network. You need to do more than just watch the perimeter. You need to do more than catch known malware and CVEs. You need to watch your network traffic in real time for anomalies. Log everything, and examine those logs. Between your network traffic and your logs, you should be able to quickly identify any anomalies. So, after you have been breached—and you will be breached—you will know about it sooner, you will be able to minimize the damage, and you will be able to reconstitute systems quicker.
Prevention and recovery
Being secure requires never-ending vigilance, constant awareness of network activity, and knowledge of data paths. Would all of these things have prevented the OPM attack? Unlikely. But if these things had been in place, OPM would have discovered and recovered from the breach much faster.
Whatever happens to Director Archuleta, everyone can learn from this incident and improve the security of their organizations, instead of becoming paralyzed with fear over potential job loss.