make a good business better

Blog Information Security

Print Divider Print Divider Branding

OPM Data Breach Highlights Needs for Standardized Security Controls

06/09/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

Your personal data has been compromised. Those are words that no one wants to hear, especially not the four million current and former federal employees whose information may have been breached through the Office of Personnel Management's (OPMs) computer system.

OPM is responsible for screening and hiring federal workers as well as handling 90% of the security clearance approvals for the federal government. This breach, once again, shines a spotlight on the urgency to secure data and advance the initiatives of programs like the Federal Risk and Authorization Management Program (FedRAMP).

According to an NBC News report, U.S. officials do not believe that this breach is a "worst-case scenario". However, they have conceded that it could be one of the largest cyber attacks in U.S. history, possibly infiltrating every federal agency. It appears this latest breach of federal employee information originated in China. China has denied involvement, citing anti-cyber crime laws. But that is of little comfort to the four million potential victims.

Sensitive data such as employee records including birth dates and social security numbers as well as security clearances may have been affected. This is the type of high profile data that China, other foreign states and hacker organizations seek to compromise. If they can "own the person" they can own what that person has access to, whether it's their financials, healthcare records, or in this case access to federal government information.

What's even more disconcerting is that this is not the first breach for OPM, which discovered a similar cyber-attack involving one of its contractors in July 2014. Two breaches involving one agency in less than a year indicates a systemic problem with protecting its data, pointing to possible flaws in areas such as data classification or the testing and evaluation processes for third party vendors. It also indicates that OPM may have missed a critical opportunity to put stronger controls around its data and failed to recognize key indicators of compromise that may have been present following the first attack.

While OPM and the primary government contractors it works with may have solid controls in place the question is what controls have other 3rd and 4th party contractors implemented and how are those controls tested and verified as effective? It's complicated when you have multiple layers of access by multiple parties, each with its own set of security requirements. More often than not, a company doesn't have a particular control implemented because it wasn't recognized as being necessary until after a breach occurred.

In today's cyber environment it is likely that we will continue to see more breaches such as OPM as more large repositories of data are being saved in the cloud. Exploiting and compromising a data repository containing millions of records is much more lucrative than exploiting a single server.

This demonstrates the urgent need for the Federal Government to set policies and minimum standards for protecting all data. Private industry has to assume responsibility also and not wait for the government to enforce these standards. When we consider the recent breaches of Target, Sony Pictures, Anthem and now OPM what's common across all of these is that there hasn't been a universal standard that they've all adhered to. Healthcare, the government and private industry all follow their own established standards creating an inconsistent patchwork of security.

The Federal Government, as well as all organizations it conducts business with must do more to secure their networks. Implementing FedRAMP has been a move in the right direction. It has established a standardized set of controls and policies to safeguard sensitive information being held in the cloud. This approach can be applied to other government entities and for all data within the walls of an organization, and if implemented correctly, can lead to a consistent and comprehensive security approach. Although no security controls are "bullet-proof", standardized controls applied across all relationships in an organizations will help reduce the likelihood of large scale breaches as seen with OPM.

Raising security controls to the level defined in FedRAMP can't happen overnight and will require considerable investment, an investment that's well worth it and could potentially save you much more by reducing the chances of a costly breach.

The key is to determine how to best implement all of these controls and policies, economically, efficiently, and in a timely manner. What's more, the security measures must be continuously monitored and evolve to keep pace with the hackers who are always finding new and creative ways to circumvent security. 

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!