OPM hack shines light on abysmal state of US federal systems’s security

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

With each passing day, newly revealed details about the US Office of Personnel Management (OPM) hack show an ugly picture of the security situation in the OPM, and other US government departments and agencies.

The data stolen from the OPM was not all located on its systems. “The two systems breached were the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center, and the central database behind ‘EPIC,’ the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations,” Ars Technica reports.

According to NYT reporters, the reason why much of this data “had been stored in the lightly protected systems of the Interior Department” is because the Deaprtment had “cheap, available space for digital-data storage.”

And the US administration is now scrambling to discover how many similar arrangements have been made over the years and left sensitive data exposed to sophisticated hackers.

Despite the various warnings issued in the wake of audits showing that federal systems are antiquated and insecure, and despite the fact that it has been obvious for quite some time now that hackers were interested in the data held on their systems and that of government contractors, things have been moving slowly when it comes to fixing these problems.

But not anymore, it seems, as the Obama administration has ordered agencies to perform vulnerability testing, patch holes, reduce the number of privileged user accounts, and provide multifactor authentication for all systems – and all in 30 days!

The administration has to be seen doing something, and this resolute reaction looks good on paper, but 30 days is not enough to plug all the holes through which determined, dedicated attackers can come through. Still, it might be a good start.

But the administration’s determination and need for fast results might also turn out to be counterproductive, as quick, forced remodeling of computer systems might be poorly planned and executed. In fact, OPM’s Inspector General Patrick McFarland fears that very scenario will happen if a proposed $91 million computer overhaul of OPM networks is approved.

A perfect example of reacting to the breach before really thinking about how to do it right can be found in the latest misstep by the OPM: they sent out breach notifications to affected federal employees, and in it they included a link to a private contractor’s Web site to sign up for credit monitoring and additional protection.

“Even when they try to clean it up, they’re getting it wrong,” ACLU principal technologist Chris Soghoian commented for the Washington Post. “A policy saying don’t send clickable links to employees is not rocket science. It’s cybersecurity 101.”

In the meantime, details about the tools and techniques used by the attackers point to the same group being behind the Anthem breach: they used the same rare tool to remotely control computers, typosquatting domains to try to get employees’ login credentials, malicious software signed with certificates stolen from the same Korean software company.

The word among those in the know is still that Chinese hackers are behind both breaches, but the jury is still out on whether they are a small or big group, and on which government department they are affiliated with.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.