In a recently filed class-action lawsuit filed against OPM, the plaintiffs cited a November 2014 Office of the Inspector General (OIG) report stating that the “drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.” The OIG report also cited the cybersecurity deficiencies that “could potentially have national security implications.” These included:
- The OPM’s decentralized governance structure
- A lack of acceptable risk management policies and procedures
- Failure to maintain a mature vulnerability scanning program to find and track the status of security weaknesses in software systems
- A high rate of false security alerts that could delay the identification of and response to actual security breaches
- Failure to use tools to monitor the progress of corrective efforts for cyber security weaknesses
- Remote access sessions which did not terminate or lock out after the period of inactivity required by federal law
- Failure to continuously monitor the security controls of all software systems
- Failure to maintain and test contingency plans for every information system as required under the OPM’s policies
- Failure to use Personal Identification Verification (PIV) cards for multi-factor authentication in all major software systems
According to the OIG report, evidence points to credentials stolen from a private contractor as the source of the breach. It notes that the third-party contractor had suffered a breach in August 2014, employee credentials were compromised, and OPM failed to take proactive measures to address the possible access privileges provided to employees of that contractor. This breach provides a case study for senior executives in large organizations and cybersecurity professionals of the need to improve understanding and implementation of prudent cybersecurity risk management and governance best practices and to ensure a strong and skilled cyber workforce.
While implementing technical solutions may have played a significant role in potentially preventing or lowering the risk associated with this kind of incident, it likely would not have saved the day against a well-funded and determined nation-state adversary. Technology is only effective if risk management and governance policies are developed and implemented and cybersecurity professionals at all levels of the organization are trained and have the requisite skills to perform the tasks related to their functional roles in cybersecurity.
In today’s world of advanced threats, it is critical that staff at all levels obtain training and certifications that build the most up-to-date cyber defense capabilities. It is a clear indication that training and education, through programs such as ISACA’s Cybersecurity Nexus (CSX), need to be at the forefront. Enterprises need hands-on skills to manage a mature vulnerability scanning program, more quickly recognize false-positive security alerts, properly monitor progress related to corrective actions related to cybersecurity weaknesses, implement effective remote access policies, employ effective continuous monitoring of security controls, develop, maintain, and test information systems contingency plans, and finally, ensure multi-factor authentication is implemented on critical information systems.
Robin “Montana” Williams
Sr. Manager, Cybersecurity Practices
ISACA/Cybersecurity Nexus (CSX)