Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Lessons to Learn from the OPM Breach

This week in Washington, there have been a lot of calls for the resignation of Katherine Archuleta, the Director of the Office of Personnel Management (OPM). She was at the helm when the breach of millions of government personnel records occurred, so some say that ultimately she should be responsible. President Obama has the final say as to whether she keeps her job, and so far he has stood by his appointee. Before any decisions are made about her fate, we should consider all aspects of the breach.

Discovery

Most breaches in the private sector are discovered by a third party, usually by credit card companies investigating fraud or by law enforcement investigating other crimes. Breaches are seldom discovered by the organization that was actually attacked. This was not the case at the OPM. The OPM’s own press release states that the breach was discovered during “an aggressive effort to update its cybersecurity posture” and that this formidable effort was ongoing for over a year.

Director Archuleta inherited an obviously antiquated system that had been cobbled together over decades. She was trying to rectify problems as quickly as time and budget would allow. It was not her fault that the systems under her control did not have lasting security protocols in place; Director Archuleta had to accept what her predecessors left her. However, unlike her predecessors, she did not maintain the status quo. Archuleta was attempting to upgrade and modernize the security systems. As a result of those aggressive efforts, the breach was discovered. It’s very possible that the breach would have gone completely unnoticed for much longer if it weren’t for the actions of Director Archuleta.

If Director Archuleta does lose her position as OPM director, it will send the wrong message to directors of other agencies: Don’t go looking for things in your network, because if you find bad things you might lose your job. Instead of simply pointing a finger at a scapegoat, let’s examine what the underlying causes of the breach were and what lessons can be learned from them.

Lessons learned

The first principle of a resilient security program is to discover all your assets as a baseline and as an inventory against which to track activity

First, know what’s on your network. Some reports indicate that OPM did not have a full accounting of hardware and software attached to their networks. The first principle of a resilient security program is to discover all your assets as a baseline and as an inventory against which to track activity. The key here is to discover those network assets right now, not to rely on purchase requisitions or outdated network diagrams. Know for a fact what is currently connected to your network and the software installed on those systems. This includes mobile devices, virtual machines and cloud applications. This gives you a baseline for your scope and attack surface; you can’t defend what you don’t understand.

Implement continuous patching and vulnerability scanning, not just periodic checks

Once you know what’s on your network, you can start securing it. Implement continuous patching and vulnerability scanning, not just periodic checks. Do not rely on quarterly or monthly audits, which can result in blind spots between audits. Know what is on your network now, what vulnerabilities are present now, not last week.

Make sure you have the right technologies in place for your environment

Next, make sure you have the right technologies in place for your environment. Vulnerability management, application whitelisting, intrusion detection, proper network segmentation, encryption, data separation and more: all things that should be taken into consideration depending on your environment. Look at both your networks and your data; you need to protect both. Unfortunately, OPM did not encrypt its data, which contributed to the loss of personal information.

Users should only have access to what they need to do their jobs

Keep a close eye on which users have access to critical resources. There are reports that some OPM system administrators used ‘root’ access on a regular basis. Users should only have access to what they need to do their jobs. Keep tight control over root and admin access. Enforce strong passwords. Remove default accounts. Quickly revoke access when employees leave or change jobs. The OPM has already committed to implementing 2-factor authentication for all employees by August 1st.

Watch your network traffic in real time for anomalies

Once you have inventoried your hardware and software, stabilized your patch management, implemented secure technologies and gotten a grasp on user access, you can start looking for bad guys inside your network. You need to do more than just watch the perimeter. You need to do more than catch known malware and CVEs. You need to watch your network traffic in real time for anomalies. Log everything, and examine those logs. Between your network traffic and your logs, you should be able to quickly identify any anomalies. So, after you have been breached—and you will be breached—you will know about it sooner, you will be able to minimize the damage, and you will be able to reconstitute systems quicker.

Prevention and recovery

Being secure requires never-ending vigilance, constant awareness of network activity, and knowledge of data paths. Would all of these things have prevented the OPM attack? Unlikely. But if these things had been in place, OPM would have discovered and recovered from the breach much faster.

Whatever happens to Director Archuleta, everyone can learn from this incident and improve the security of their organizations, instead of becoming paralyzed with fear over potential job loss.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training