The Office of Personnel Management’s cyber security protocol was a perfect storm for a worst case scenario.
A new report from the Institute for Critical Infrastructure Technology cited OPM’s scattered IT governance, lack of cybersecurity experts and lack of cyber threat detection technology as the major pitfalls leading to the theft of 21.5 million federal personnel files — the largest cybersecurity breach in OPM’s history.
“It goes to show you that anyone is vulnerable to these kinds of issues.” said Dan Waddell, a lead contributor to the study from the International Information Systems Security Certification Consortium.
Waddell spoke on Federal Drive with Tom Temin about what ICIT and ISC² found in its study. Waddell said once OPM hires the right people and invests in proper system programs, the agency will be in a better position to detect future intrusions—including advanced persistent threats.
With class and flourish, ICIT’s report is blunt to the point of scathing. Its stated OPM did little to safeguard its antiquated systems, even quoting OPM’s inspector general calling it, “akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
This comes mainly from the fact there was no official response team for cybersecurity threats.
“OPM did not have a central IT staff who prescribed to some sort of risk management 101,” Waddell said. Even if personnel were designated to the task, there was no active coordination between them, leaving the systems highly vulnerable.
“What you had were projects that were managed on the division level with no apparent central oversight,” Waddell said.
The study also stated hackers likely accessed OPM’s system through valid user credentials, and later “escalated their privilege” by creating higher-level credentials once inside the network. Waddell said third-party contractor access to valid accounts are what likely caused the breach in the first place.
“There was a stolen contractor credential that started the domino effect,” Waddell said. “Several cyber security staff positions weren’t funded at the time, and the ones that were couldn’t hold system owners accountable.”
With the issues outlined, Waddell said OPM needs to take actions that make future security situations “proactive rather than reactive.”
Train people to act
Waddell said that change starts at the hiring process. “Hiring personnel must gain a better understanding of all the diverse types of cybersecurity skills and what the requirements are for that position,” he said.
He added that “instilling a cybersecurity culture” made of knowledgeable personnel working cohesively are key to keeping systems safe.
The study cited a lack of error identification procedures as a factor that let hackers stay in OPM’s systems for so long.
The report stated that “had OPM practiced Six Sigma, ITIL, or CERT’s Octave Allegro” — statistical models for identifying threat factors — “then management would have recognized the need for greater security, greater governing policy, and greater planning.”
“Getting those security processes and check and balances in place can save a lot of that headache,” Waddell said.
Evolve tech for threat response
ICIT’s report suggested that, as a way to combat unauthorized user access, OPM should consider behavioral analytics as part of its defense.
Waddell said behavioral analytics can catch threats in action based on typical user activity and permissions.
“If they don’t need access to the database, we’re not going to give it to them,” Waddell said. “If all of a sudden, we see this person trying to access that database, its going to set off a red flag.”
With the addition of a cybersecurity adviser that reports directly to the new director already in place, OPM is already taking steps to improve its security measures. However, Waddell said change must be a continuous effort that shouldn’t be limited to just the IT department.