Government/politics, and cybersecurity—these topics may seem plucked from recent U.S. election headlines, but they're actually themes that have persisted over the last decade, reaching a pinnacle with the massive OPM data breach that resulted in the theft of over 22 million records—fingerprints, social security numbers, personnel information, security-clearance files, and more. Last month, a key government oversight panel issued a scathing 241 page analysis blaming the agency for jeopardizing U.S. national security for generations. The main culprit? Lack of visibility.
The report issued by the U.S. House Oversight and Government Reform Committee outlines a myriad of crucial OPM failings that led to the massive data breach: lack of two-factor authentication, slow response time following the initial intrusions, and incompetent IT security policies, among others. However, a recurring theme that surfaces in the report is lack of visibility on many fronts—the state of its IT assets, the volume and type of data moving across its networks during the cyber attacks, what users were authenticated/accessing network resources, and more.
In March of 2014, the Computer Emergency Readiness Team (CERT)—part of U.S. Homeland Security—determined that cyber attackers had stolen key manuals and blueprints describing OPM's infrastructure and information technology. Also discovered was malware present since 2012, suggesting that the bad actors gained access several years before being detected. Exactly how and when the initial attacker gained entry to the network is unclear, but it's evident that two attackers were in the mix together—the first monitored closely by OPM security and CERT, the other undetected, posing as a Keypoint (OPM contractor) employee.
Though the widely publicized failure of the ObamaCare website (a.k.a Healthcare.gov) back in October of 2013 has all but faded from memory, the public sector’s persistent lag in technological innovation coupled with recent calamitous data breaches means there is no shortage of press fodder for critics. What will it take for the U.S. government to transcend its current dearth of agility and innovation?
The report states that the second hacker "who had successfully established a foothold on OPM’s systems and had not been detected due to gaps in OPM’s security posture, remained in OPM’s systems.” Using the Keypoint employee's login credentials to gain system access, the hacker was able to install malware and create a network backdoor for exfiltrating confidential data.
“This is in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems,” the report continues. “The data breach by Hacker X1 in 2014 should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data. It wasn’t until April 15, 2015 that the OPM identified the first indicator that its systems were compromised by Hacker X2.”
Protecting What You Can't See
Lack of visibility is in fact the main precursor to security incidents—the Sans Institute considers it the number one cloud security issue. "Overall, lack of visibility into cloud provider operations and controls stands as the largest issue respondents experienced with their providers," wrote Dave Shackleford, analyst and author of a recent SAN report about cloud security. For the OPM, lack of visibility caused failures on multiple fronts that enabled hackers to carry out the most devastating data breach in history. Its operations staff lacked visibility into the state and security fitness of existing systems—requisite knowledge for making the appropriate patches and updates. Lack of visibility also rendered nefarious activities behind the perimeter opaque, allowing the second hacker to successfully install the backdoor from inside the network. CERT’s June 2014 incident report details the OPM's failings in this regard:
“Gaps in OPM’s audit logging capability likely limited OPM’s ability to answer important forensic and threat assessment questions related to the incident discovered in 2014. This limited capability also undermined OPM’s ability to timely detect the data breaches that were eventually announced in June and July 2015.”
Cyber resilience is a top-down strategy; tooling and monitoring cannot comprehensively bolster an organization's security without a shift in attitude regarding security—as mandated by executive sponsorship. In this sense, perhaps the biggest lapse in visibility was OPM leadership's blindness to its own department's lack of security fitness. The U.S. House Oversight and Government Reform Committee report suggests a deep-rooted issue inside of the OPM:
“The long-standing failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology."
In short, visibility is the core component of strong security. Without knowing what you have, it's virtually impossible to determine what's missing and/or compromised. Visibility is also a foundational element of cyber resilience—that is, rolling with the punches to minimize damage in the event of the inevitable data breach. The OPM and CERT were able to identify and monitor the first attacker, but complacency enabled the second attacker to deliver the final blow. UpGuard enables visibility across all your IT environments—from the configurations that prevent external compromises to critical patches for closing security gaps inside the perimeter, our cyber resilience platform ensures that your infrastructure's state is always known and validated.