Recently, a data breach at the Office of Personnel Management (OPM) demonstrated once again the vulnerability of data and how even when an organization has seemingly deployed the right tools, security holes can be exploited to gain access to highly sensitive information. OPM is the federal organization responsible for maintaining and protecting the federal records for all federal employees and contractors. This includes highly sensitive records about individuals with clearances and even information that could expose those living undercover. As the exact nature of the attack unfolds, and the damages are revealed, it’s important to consider how the breach could have been discovered earlier; how the attack could have been prevented; and what could have been done to limit the damage.
The latest data suggests that the attack was perpetrated by first stealing access credentials from KeyPoint, a government contractor that was hacked last year. While the initial intrusion mostly impacted Department of Homeland Security (DHS) personnel, it was first detected in September, and it took DHS seven months to conclude their investigation. During that time, the credentials were likely used to break into OPM’s systems. Given this timeline it is clear that the hackers had plenty of opportunity to rummage through systems; some evidence even points to re-occurring attacks going back for at least the last year. The one thing that is clear is that this breach went undiscovered by the OPM team and its threat defense system for as much as several months.
Stopping cyber attacks is difficult, particularly when the perpetrator is seemingly a well-funded nation-state. Still, a well planned defense in depth strategy that highlights, in real-time, the vulnerabilities and risks associated with a given environment can help organizations narrow their focus onto the critical points and paths of egress and drastically improve the chances of preventing or stopping an attack before the "crown jewels," in terms of important data, are stolen.
To achieve this defense in depth, it’s important to first understand the security environment. Knowing the interaction of firewall rules, and uncovering vulnerabilities introduced by misconfiguration, is vital. Uncovering unused, hidden, and redundant rules, which can have unforeseen impact on overall security, would help to simplify the overall firewall environment.
Visualizing traffic flow can help to discover unexpected paths in and out of systems to pinpoint unexpected ingress and egress points for systems and the network. This can signal the path a would-be hacker might take to get to data, and highlight where additional defenses are needed.
Good security hygiene, going forward, can assist in preventing further attacks. Change management will be key, and can reduce the risk of existing holes, while ensuring changes don’t introduce new ones. Understanding the impact a given change might have on the overall operating environment can discover potential new holes in perimeter defense, before they even get created.
Compliance to security standards must be maintained, and audits will help to ensure this compliance. Cleaning up and optimizing firewall configurations can remove obscurity and improve security, manageability, and performance. Testing network configuration against security compliance requirements helps to ensure the requirements are being met.
Finally, if an actual breach does occur, it’s important to be able to find it quickly. Tools exist that can help separate indicators of a break-in from background noise, and pinpoint where data is exiting the network. This can dramatically reduce the time it takes to discover a breach, which helps to limit the damage by helping to sever the data stream before much data has been stolen.
Finding an integrated set of tools can make the process easier. One such integrated tool suite is produced by FireMon. Their Security Manager tool helps to manage and monitor devices in one place, and integrates with the Policy Planner, Policy Optimizer, and Risk Analyzer tools to help clean up the environment, understand the impact of changes, and ensure compliance to security standards. Immediate Insight can analyze the network in real time, to reduce the time it takes to identify an incursion and triage the event. Together, the tools can be used to quarantine known infected networks to help cut an incursion off at its source.
All reports indicate that the data security team at OPM took many measures to prevent this breach, including deploying a number of commercial and custom tools to monitor the environment. Still, this breach highlights the need for a comprehensive approach to cyber defense, complete with a tightly integrated toolset. It’s about more than just having firewalls and SEIMs deployed; it’s about having the right set of tools and applications that give needed visibility into the vulnerabilities and risks associated with a given environment. Deployed properly and as a part of a broader integrated defense strategy, these tools can help dramatically reduce the risk of a successful cyber attack, and can aid in discovering the intrusion and concluding the investigation much faster.
- When the Federal Government Gets Hacked (dailysignal.com)
- China's Recent U.S. Hack Penetrated A Database Holding Sensitive Security-Clearance Information (warnewsupdates.blogspot.com)
- Obama Considering Range of Options in Response to OPM Hack (freebeacon.com)
- FireMon recruits Lewandowski as president and COO (pehub.com)
- Maturing Security Posture and Mitigating Concerns with FireMon (ctovision.com)