U.S. Office of Personnel Management Data Breach

APNewsBreak: Massive breach of federal personnel data by Ken Dilanian and Ricardo Alonso-Zaldivar.

From the post:

Hackers broke into the U.S. government personnel office and stole identifying information of at least 4 million federal workers.

The Department of Homeland Security said in a statement Thursday that at the beginning of May, data from the Office of Personnel Management and the Interior Department was compromised.

One usual cyber suspects, China, has been accused of being responsible for the breach. Which China denies.

China and North Korea are accused of cybercrimes on a regular basis, in part due to the inability of most Americans to find either one on a map.

I don’t doubt that governments around the world engage in a variety of cyber activities, some offensive and some defensive. Including China and North Korea. But given the revelations of Edward Snowden and the crimes committed against allies, non-allies and its own people by the United States government, that same government has no high moral ground for accusing others without public proof.

No doubt the accused in many cases could return the favor with evidence of further indiscretions by the United States. Fewer tantrums and more funding of computer security research would be a step in a better direction.

In case you are interested, the Congressional Budget Justification Performance Budget Fiscal Year 2015, reads in part:

During FY 2013, OPM made significant strides in addressing the management challenges identified by the OIG. A detail accounting of OPM’s FY 2013 actions to address the management challenges can be found in OPM’s FY 2013 Agency Financial Report at https://www.opm.gov/about-us/budget-performance/performance/2013-agency-financial-report.pdf. Below is a table briefly describing the top management challenges and how the fiscal year 2015 budget request addresses each management challenge.

Isn’t that odd? That the 2015 Justification skips over 2014 to say it is improving from the 2013 financial report?

From the United States Office of Personnel Management, Agency Financial Report, 2014:

During FY 2014, the Office of Chief Information Officer (OCIO) continued to make progress in centralizing security program functions in an effort to address deficiencies noted in its security program. However, we continue to observe control weaknesses as follows:

1. The current authentication guidance regarding two-factor authentication has not been fully applied.

2. Access rights in OPM systems are not documented and mapped to personnel roles and functions to ensure that personnel access is limited only to the functions needed to perform their job responsibilities.

3. The information security control monitoring program was not fully effective in detecting information security control weaknesses. We noted access rights in OPM systems were:

  • Granted to new users without following the OPM access approval process and quarterly reviews to confirm access approval were not consistently performed.
  • Not revoked immediately upon user separation and quarterly reviews to confirm access removal were not consistently performed.

4. The password length setting for privileged user accounts did not meet minimum OPM password length requirements.

(at page 40)

For more than two (2) years the Office of Chief Information Officer (OCIO) has been sitting on implementing two-factor authentication and privileged user passwords did not meet “minimum OPM password length requirements.”

Wow! I think we now know who was responsible for this data breach, even if we don’t who carried out the data breach. Yes?

This isn’t some highly sophisticated hack. Some former employee or current one with a weak password could be responsible for this data breach. A data breach that exposed all present and past federal employees. That’s a high impact breach, don’t you think?

Could be some junior high or high school hacking club. Looking for low lying fruit. They found it at the U.S. Office of Personnel Management. Maybe OPM will tighten their security up, in another year or two.

BTW, it isn’t like the government lacks for good advice on being secure:

FIPS PUB 200 Minimum Security Requirements for Federal Information and Information Systems

NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations

Also be aware of the NIST Cybersecurity Framework page.

There are other relevant NIST publications and agency specific ones but those should give you an idea of what is already known to government security experts.

Comments are closed.