A Congressional investigation into the devastating hack of the US government's Office of Personnel Management (OPM) has detailed shortcomings in the organisation's security and made recommendations for other federal departments to prevent the same from happening to them. The hefty 227-page report doesn't pull its punches about the seriousness of the hack, as is apparent from the second you read its title:
"The OPM Data Breach: how the government jeopardised our national security for more than a generation"
The report describes how OPM's servers came under attack between 2012 and early 2015, with hackers ultimately stealing the personnel files of 4.2 million former and current government employees and the security clearance background investigation information on some 21.5 million individuals. In addition, the hackers stole the fingerprint records of almost six million government workers. The nature of the personal information stored by the OPM on individuals went far beyond the typical organisation, including a "wealth of information about their past activities and lifestyle." This included extensive financial information, employment history, home addresses for the past ten years, details of emotional or mental health issues, use of illegal drugs or controlled substances, alcohol abuse, and so forth... It is clear that such personal information could be a gold mine for spies, or for those interested in blackmailing government workers. Former CIA director Michael Hayden warned that the stolen data "remains a treasure trove of information that is available to the Chinese until the people represented by the information age off. There's no fixing it." According to the report, the initial breach at OPM was facilitated by login credentials stolen from a contractor - allowing hackers to log into the network. The lack of two-factor authentication, therefore, was clearly an enormous oversight as it would have - most likely - prevented the attackers from gaining entry via this route. This is obviously a potential problem for many other organisations, which may not have additional levels of authentication in place and be at risk of having workers' credentials stolen via phishing, keylogging malware or simply through the now perennial problem of people reusing the same passwords across multiple services.
Another interesting finding shared by the report is that there were actually two attackers who breached OPM's security. The first attacker was discovered by OPM's security team and monitored for some time before a decision was made to curtail their access before they could do more harm. Unfortunately, a second attacker was not discovered and ultimately made off with the millions of documents and personnel records which subsequently made for so many headlines in the media. In the opinion of the report, OPM missed an important opportunity to strengthen its security when it discovered the first evidence of a hacker at work - and its failure to implement additional technologies such as two-factor authentication and other technologies aided the second, more calamitous incident:
"Had OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft."
Jason Chaffetz, a Republican representative from Utah and chairman of the group which compiled the report, has these words for the victims of the breach, and speaks directly to federal CIOs about how similar attacks must be prevented in future:
"For those whose personal information was compromised, I hope this report provides some answers on the how and why. Most of all, however, it is my hope that the findings and recommendations contained herein will inform and motivate current and future CIOs and agency heads so we - as a government - can be smart about the way we acquire, deploy, maintain, and monitor our information technology. The OPM data breach and the resulting generational national security consequences cannot happen again. It is up to leaders like you and Congress to ensure it does not happen again."
There is clearly much with other organisations can learn from the unfortunate security breach at the US government's Office of Personnel Management. Even if you don't have time to read the full congressional report, I would recommend that all of those who are responsible for securing their business's networks from attack take the time to read the executive summary. Further reading:
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
