By now, you’ve probably heard that last week the Office of Personnel Management (OPM), which is responsible for the vast majority of security clearances issued by the government, was breached. And as most of these breaches play out, it started off with a bad figure (4 million) and quickly ballooned to an appalling figure (14 million!). There have been some interesting things to come out of this that’s worth noting.
1. Attribution is important, but that’s not the biggest story here. Many people have been speculating as to the source of the attack, and most fingers are pointing to China, and for good reasons. The fact is, attribution is not the biggest concern.
2. How do we stop this from happening in the future? The Anthem (WellPoint), Premera, and OPM breaches are all bearing some similarities that we should pay great attention to and learn from in the future. Brian Krebs, over at krebsonsecurity.com, has a great blog post about all this. If you do any sort of fraud or cybercrime investigations, check his stuff out. (Full disclosure: I bought two copies of his book.) Basically it comes down to simple things like making sure the website you think you’re logging into is legitimately the right website. In other words, CHECK THE DARN ADDRESS!!!
3. Once we’re done pointing our finger at this week’s victim agency and laughing at their failures, let’s take a look in the mirror and ask ourselves some painful questions:
- If I had an insider threat, could they access potentially sensitive information?
- Do we have any employee databases sitting out wide open on the network?
- Do we have a data classification program in place? For example, do you have documented anywhere, “names, DOB’s, and SSN’s will be encrypted while sitting on the network”?
- We all take a polygraph to get this job now. Where are those records kept? Who has a key to them? What about the background investigation info?
- Do I know what is connected to my network, without a doubt?
If you’re the least bit concerned about liability, your privacy, and your agency’s reputation, go ahead and start asking the IT guy these questions. You have my permission. And yes, I said the “L” word–liability. As with everything else in our profession, the data we hold and what happens to it is now becoming something we can get sued for if someone gets the chance.
If you are the IT guy and you’re reading this, don’t try to lie yourself. And you know this isn’t even scratching surface of things we need to ask ourselves. We talk about things like compliance and ISO27001, but we need to remember that security is a process, not a product. Check-box compliance is good, but building a culture of information security and wisdom is paramount.
Taking a look at OPM is fun to point out what’s wrong with them. And sure, they had deficiencies. But sitting down and taking a look in the mirror may be the first thing we need to do before we get too happy throwing stones.
But, throwing stones is always fun.