Last week Leon Panetta spoke at the Gartner Security Summit. His topic related to preventing cyber attacks in 2020. The irony was not lost considering four days prior. The Department of Homeland Security (DHS) announced our government’s largest security breach. Initially, ABC News reported four million employee records were compromised.
Bloomberg estimates the number could go as high as fourteen million. Worse, the cyber breach looks to be most damaging, because it included Office of Personnel Management (OPM) Form SF-86. Aside from Social Security Numbers, SF-86 provides detailed financial and employment information. It reveals psychological profiles. It offers personal contacts, foreign correspondents, and potentially contains reputation-damaging information.
Initial reports point to a Chinese state sponsored attack. Chinese perhaps. State sponsored definitely. State sponsored attacks target individuals. Here’s why. Government spooks collect information for intelligence purposes. They seek information for extortion, counterintelligence, and advanced phishing. They use it to recruit, blackmail, expose agents, and steal intellectual property.
Security Expert Brian Krebs links OPM’s breach to previous state sponsored attacks. Krebs points to a chronology of events beginning in July 2014. He connects OPM’s compromise to this year’s Anthem and Blue Cross assaults. He points out unbelievably OPM operated without access authorization and encryption. In November, the Inspector General notified OPM of their failure to comply with FISMA. The report cited IT security weaknesses and identified significant internal control deficiencies.
David Cox, Federal Government Employees’ Union President, calls OPM an “abysmal failure". Granted, no solution is full proof. Organizations must first deploy than sustain prevention, detection and response systems. Your biggest bang for the buck quickest to implement actions stem from prevention. To guard identities, first and foremost provide access controls as a baseline. Start with identity and access management. To deter and mitigate breaches, follow these eight identity management best practices.
For starters, automate and enforce access privileges. For new hires, assign privileges based on roles, business rules, and workflow automation. For employees who leave, automate privilege removal upon termination. Automate alerts and reporting to continuously monitor access to prevent unnecessary privileges.
Only business line manages can gage and govern actions against actors. Business managers know the specifics. They know who a person is, their job function, peer group and normal behavior. A sales team spotted the OPM anomalies leading to the breach’s detection.
Privileged accounts are targets of organized crime and state sponsored attacks. Compromised privileged accounts are generally responsible for the most damaging breaches. Privileged users remain vulnerable to social engineering phishing for shared passwords. Cyber risks from excessive privileges often go undetected indefinitely.
Passwords are vulnerable to brute force attacks and spoofing. Mitigate this risk. Require password changes on a regular basis. This is especially true for privileged accounts and shared administrator passwords. Requiring password changes shrinks the window for undetected breaches.
In addition to frequently changing passwords, complexity matters. Longer complex passwords require more time to crack. Prevent the use of weak passwords across your network and systems. Guard against hacker dictionary assaults. Prepare for brute force attacks. The day will come.
The Inspector General’s OPM audit recommended multi-factor authentication for system access. Multifactor authentication uses SMS, token or smart card as an added validation. For critical applications and privileged identities, apply multifactor authentication. Make multifactor authentication transparent in your operations.
Add security to encryption keys to prevent cyber theft. Rotate enterprise and database encryption keys manually or on schedule. Rotate keys as often as data requires or when you suspect a compromise. Specify and rotate encryption keys with multifactor recovery.
Unmanaged accounts represent an access risk. Remove abandoned and orphan accounts and servers from your organization. Abandoned accounts are targets for fraudulent access. Abandoned servers provide an internal beachhead for attacks. Schedule reports to routinely identify orphaned user accounts and servers.
Another sobering consequence of OPM’s cyber breach pertains to the future. Federal employees now face the greatest risk for future identity theft. While government needs qualified security professionals, agencies are unprepared to protect their identities. You can imagine the recruiting nightmare this creates. As a security candidate, who joins an organization with a dismal record?
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.