Chuck Leaver – This Is What CISO’s Need To Understand From OPM Cyber Attack

Written by Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Cyber attacks, attributed to the Chinese government, had actually breached sensitive personnel databases and taken data of over 22 million existing, previous, and potential U.S. civil servants and members of their family. Stern warnings were neglected from the Office of the Inspector General (OIG) to shut down systems without current security authorization.

Presciently, the OIG specifically cautioned that failure to shut down the unapproved systems carried nationwide security implications. Like the Titanic’s doomed captain who kept flank speed through an iceberg field, the OPM responded,

” We concur that it is essential to keep updated and legitimate ATO’s for all systems but do not think that this condition rises to the level of a Material Weakness.”

Furthermore the OPM stressed that shutting down those systems would indicate a lapse in retirement and worker benefits and incomes. Given an option between a security lapse and a functional lapse, the OPM chose to run insecurely and were pwned.

Then director, Katherine Archuleta, resigned her position in July 2015, a day after revealing that the scope of the breach vastly exceeded original assessments.

Regardless of this high worth details kept by OPM, the agency cannot prioritize cybersecurity and adequately safe and secure high worth data.

What are the Lessons for CISO’s?

Rational CISO’s will want to avoid career immolation in a huge flaming data breach disaster, so let’s quickly examine the crucial lessons from the Congressional report executive summary.

Focus on Cybersecurity Commensurate with Asset Value

Have an efficient organizational management structure to execute risk appropriate IT security policies. Chronic absence of compliance with security best practices and lagging recommendation application timelines are indicators of organizational failure and bureaucratic atherosclerosis. Shake up the business or make preparations for your post-breach panel grilling prior to the inquisitors.

Do Not Tolerate a Lax State of Information Security

Have the necessary monitoring in place to preserve important situational awareness, leave no visibility gaps. Don’t fail to understand the scope or degree or gravity of attack indicators. Presume if you recognize attack signs, there are other indicators you are missing. While OPM was forensically observing one attack channel, another parallel attack went unseen. When OPM did act the enemies understood which attack had actually been discovered and which attack was still effective, quite valuable intelligence to the assailant.

Mandate Fundamental Required Security Tools and Rapidly Implement Cutting Edge Security Tools

OPM was woefully irresponsible in implementing mandated multi-factor authentication for privileged accounts and didn’t deploy readily available security technology that could have avoided or mitigated exfiltration of their most valuable security background investigation files.

For privileged data or control access authentication, the expression “password protected” has been an oxymoron for many years – passwords are not security, they are an invite to compromise. In addition to adequate authentication strength, complete network monitoring and visibility is requisite for avoidance of sensitive data exfiltration. The Congressional examination blamed sloppy cyber hygiene and inadequate system traffic visibility for the assailants’ persistent presence in OPM networks.

Don’t Fail to Escalate the Alarm When Your Most Sensitive Data Is Under Attack

In the OPM breach, observed attack activity “must have sounded a high level multi agency national security alarm that an advanced, relentless actor was looking to gain access to OPM’s highest-value data.” Rather, nothing of consequence was done “up until after the agency was significantly jeopardized, and till after the agency’s most delicate info was lost to nefarious actors.” As a CISO, activate that alarm in good time (or rehearse your panel look face).

Finally, do not let this be said of your enterprise security posture:

The Committee received documentation and statements showing OPM’s information security posture was weakened by an incredibly unsecured IT environment, internal politics and bureaucracy, and inappropriate top priorities related to the release of security tools that slowed important security choices.