Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

The OPM Breach Two Years Later: Why We Need a Marathon

The White House called for a 30-day sprint in response to the devastating data breach at the Office of Personnel Management (OPM), discovered in April 2015. The immediate goal was to bring agencies’ cybersecurity up to an acceptable level. It directed agencies to implement a number of best practices, including scanning systems for known threats, patching critical vulnerabilities, managing privileged access and using multi-factor authentication. But is a sprint enough?

OPM timeline

Two years after the breach, which exposed sensitive records and personal information of 21.5 million past, present and potential federal employees, the OPM Inspector General still found the agency was struggling to meet cybersecurity requirements. OPM is not the only agency facing these challenges. The Government Accountability Office has classified federal cybersecurity as a high-risk program for 20 years.

To address today’s cybersecurity challenges, the government needs a marathon

A sprint is fine if you need to quickly meet a short-term goal, but that’s not how the government or the world should be thinking about risk or security. To address today’s cybersecurity challenges head on, the government needs a marathon. Without a resilient and comprehensive cybersecurity strategy, agencies will struggle to understand their true level of exposure and to reduce their risk.

The changing world

The federal government is frequently criticized for maintaining legacy IT systems. The House Oversight Committee last year called agencies’ reliance on outdated and unsupported technology “a ticking time bomb.” Alongside these legacy systems, agencies are adopting new computing assets like cloud, DevOps/containers and the Internet of Things (IoT) that are disrupting the traditional network perimeter to create a dynamic and boundaryless IT environment.

Alongside legacy systems, agencies are adopting new computing assets

Operational technologies (OT) like SCADA/ICS are still a major part of the government’s critical infrastructure, and while designed for precision and reliability, were not built with security in mind. The rise of industrial IoT means critical devices such as medical devices, transportation systems and ICS have become internet accessible.

This convergence of IT and OT is expanding the already complex attack surface, creating additional security risks and safety concerns for chief information security officers (CISOs) who already struggle to gain visibility into their exposure areas.

Real modernization

Real modernization requires change in how systems are architected

Agencies must modernize IT systems if they are to improve their cybersecurity. But modernization requires more than merely updating or replacing legacy systems with new products and services. Real modernization requires change in how systems are architected. The systems must provide administrators with the visibility to fully monitor all assets—whether on-premises or in the cloud—in as close to real time as possible. Administrators must be able to manage them and to respond quickly to vulnerabilities, threats and attacks. This requires interoperability and the use of automation where possible, so that administrators and security personnel can apply their human intelligence where it is most needed.

Modernization will be a big job for agencies. The GAO reported to the House Oversight Committee last year that agencies spent more than 75 percent of their fiscal 2015 IT budgets on legacy equipment. Some systems still are using COBOL (the Common Business Oriented Language) for computers developed in the late 1950s and early 1960s.

Replacing these antiquated systems would be a step forward in improving cybersecurity. But completing the task of modernization will require a long-term commitment to change and will be realized only if it is prioritized by agencies, legislators and the administration. Initiatives such as President Trump’s recent Executive Order on cybersecurity can help point the way to needed changes and strategic planning. The Modernizing Government Technology bill that has been introduced in Congress would help by establishing a capital fund to help agencies finance new technology. This could jumpstart the modernization process and make it easier for agencies to make long-term plans and to respond quickly to evolving threats and technology.

Ultimately, each agency must establish and pursue its own strategic plans focusing on the long-term goal of manageable and secure information systems. Only then can the government be fully prepared to regain control of their networks and confidently manage cyber risk in today’s modern IT landscape.

More information

For more data about the OPM situation, visit the Tenable OPM web page and download the free whitepaper.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.