26
June 2015

What We Can Learn From the OPM Breach

Andy Harris

The Breach

Details are starting to filter through about the true size and scale of the recent data breach at the US Office of Personnel Management (OPM). But if the reports are correct, it’s already one of the most damaging incidents of its kind. And this is in the long and sorry history of government data breaches!

Poor security around privileged accounts appears to be the culprit. It has enabled hackers to steal some of the most sensitive information ever grabbed from US government data stores.

Let’s take a look at what lessons UK organisations can learn from the mistakes made over the Pond.

What happened?

A breach of the OPM’s systems was first detected back in March, when a new security system raised the alarm. The first thoughts: the compromise of somewhere in the region of four million records. Then things got a lot worse. It emerged that hackers had also managed to gain access to sensitive data. This was on staff applying for security clearance roles in military or intelligence positions. Known as the so-called SF-86 form. This contains personal, medical and financial information: a massive risk! A foreign state could blackmail and coerce government employees and even recruit spies. Also, it would be valuable information to use in follow-up spear phishing attacks.

It’s now thought that the breach toll could have risen to as many as 18 million people. The vast majority are current and former government employees and their families.

How did it happen?

A two hour hearing before the House Oversight and Government Reform Committee last week revealed some details. OPM’s CIO, Donna Seymour, admitted that the attackers had gained “privileged user access”. Then Department of Homeland Security assistant secretary for cybersecurity, Andy Ozment, spoke up. He claimed that encryption of the stolen data would “not have helped in this case”. This was because the hackers had gained user credentials to the systems that they attacked. This was most likely done through social engineering. We cay deduce that these credentials were for privileged, or admin-level, access.

Why are account credentials from privileged users so sought-after by attackers? They provide access straight to the information they want, without needing to escalate privileges. These accounts are usually less bound to scrutiny by senior managers. After all, the IT department is usually left to its own devices because it’s trusted, right? And unusual account behaviour – for example, large volumes of data downloads – doesn’t ring alarm bells on IT user accounts. So, there’s a better chance of getting in and out before capture.

Furthermore, a OPM contractor told Ars Technica that he worked on a project with a Unix sysadmin located in Argentina. At the same time, his colleague sat in China. As we’ve discussed before, organisations must extend the same strict IT access policies to their third parties.

Lessons learned

We should all think more about how we secure privileged accounts. Osirium’s answer: Privileged Access Management. Technology which ensures device credentials never pass through the client’s system. Therefore, they’re not lifted by social engineering, hacked, stolen or misused by IT admins. Our Privileged Session Management system, will record, store and playback privileged account activity. Not only for security, but also to meet compliance standards.

Here are some more takeaways from the OPM debacle:

  • Invest in tools to gain greater visibility into privileged accounts. Which leads to better understanding when unusual activity takes place
  • Enforce strong password management as standard and ensure IT admins cannot make exceptions
  • Try to prevent “over-privileging” of junior admin staff
  • Operate policy of “least privilege” when it comes to admin account access
  • Extend all strict access controls to third party providers
  • Vet all third party providers strictly before hiring and conduct regular security audits