Tighter security, more hands needed post-OPM, security pros say
A number of security pros weigh in on a congressional report assessing the OPM breach.
A number of security procedures need to be amended and personnel with more advanced skills need to be hired since cyberthreats can no longer be detected by technology alone.
These are a few of the responses we received after our story posted yesterday on a congressional report released on Wednesday slamming the Office of Personnel Management (OPM) for its failure to protect the data housed in its databases.
The information purloined in the massive breach included personally identifiable information (PII) of more than 21.5 million individuals, and fingerprint data on 5.6 million of these individuals. Exacerbating the theft is the fact that much of the stolen data was siphoned from security clearance background reports, detailed documents that include extremely personal information that in the wrong hands could be used to extort the affected individuals.
"The OPM hack is one of the biggest hacks in U.S. history," Adam Levin, chairman and founder of IDT911, told SCMagazine.com on Wednesday in an emailed statement. "OPM is the central nervous system of the federal government. It is the human resources department of the federal government and stores a treasure trove of sensitive data. It also checks security clearances and this puts us all in the danger zone."
With the recent hack attacks on government agencies and officials, including cyberattacks on the DNC, the DCCC and Hilary Clinton's email accounts, it is clear that cyberwarfare has replaced the Cold War, said Levin, also author of Swiped, a book that details the identity theft landscape. "If our electoral process can be up for grabs by state-sponsored hackers, this new report on the epic fail of leadership by OPM is just another example that cybersecurity can no longer be a back burner issue."
Lance Cottrell, chief scientist of Passages at Ntrepid
John Prisco, CEO and co-founder of Triumfant, a Nehemiah security company, has spoken up on this sort of massive breach previously. "Procurement cycles are too long to keep up with modern cyberwarfare," he told SCMagazine.com in an emailed statement on Wednesday. While he said that he agreed with the administration regarding offensive capabilities, he believes its defense is porous. "Maybe DoD and DHS should take the approach that it's best to deploy many solutions rapidly rather than going through a several year-long process to pick a magic bullet. The magic bullet is typically pitched by a beltway bandit and it is rarely magical.”
Lance Cottrell, chief scientist of Passages at Ntrepid, told SC on Wednesday that the congressional report focuses mostly on the failures to act on detected threats and to tighten security against intruders that have already taken up residence. "This shows the problems with building a security model around your ability to detect the attacker and associated malware."
Secure systems, he pointed out, need to be architected to be robust even against undetected malware and attackers. "Removing infections, preventing spread and minimizing damage need to be automatic and continuous, not reactive and sporadic."
Additionally, with an increasingly mobile workforce there is not even any real perimeter to secure, Cottrell wrote. "Email and web applications provide access to sensitive information and resources from anywhere in the world. The new threat landscape requires a new generation of security tools and techniques.”
Vishal Gupta, CEO of Seclore, pointed to two facts highlighted in the OPM report. "Firstly, organizations aren't able to effectively monitor their networks," he wrote to SC. While OPM's team was able to detect and restrict access by the intruder they dubbed HackerX1, he pointed out it remained completely oblivious to the existence of another intruder, dubbed HackerX2. "This means even when organization knows they are breached, they can still remain in the dark about subsequent attackers."
Secondly, Gupta said the report indicates that the public sector has a long way to go in terms of cybersecurity investments. "According to the report, two-factor authentication (a fundamental security technology by today's standards) could have have played a role in fending off the attackers. My question is, why stop there?"
The government has a huge target on its back, Gupta said, and can't rely on industry standards for its main defense. "Instead, we need to start looking toward proactive solutions that are designed for a world even when hackers get into your systems, so you have persistent protection around the data itself.”
However, technology solutions by themselves are not the answer. It takes skilled cyberprofessionals as well.
"Today's most advanced cyberthreats can no longer be detected by technology alone – experienced, talented cyberthreat hunters are now a requirement," Ryan Shaw, chief operating officer at Raytheon Foreground Security, told SCMagazine on Wednesday. The OPM breach, as detailed in the recent Congressional report, is a case in point, he said. "The U.S. government has a lot at stake when it comes to protecting data. It's not a matter of if, but when an attack will strike. Government organizations cannot afford to sit and wait for tool-generated alerts; instead, they must proactively hunt for sophisticated and damaging cyberattacks."
In an added twist to this investigation, the hackers trolled OPM's forensic investigators using Marvel superhero names to steal the data, the congressional report revealed.
In pointing out that evidence of hacking was available to the OPM, the report details how OPM machines were spotted contacting malicious domains that were registered to Tony Stark, a.k.a. Iron Man. In all, the hackers used several "Marvel's Avengers characters and other names associated with the film franchise," the report found.
The consensus seems to be: There's plenty of blame to go around, but there are defenses and policies to put in place that could bolster security implementations.
The government, business and consumers need to work together to shore up cyberdefenses, Levin said, because "when it comes to this major threat to our national security, there are no red states or blue states, we are all in a state of emergency."