OPM On Track to Exceed Federal Security Standards

The Office of Personnel Management got a wakeup call earlier this year when it discovered millions of files had been hacked, but its nightmare isn’t over yet.

The FBI has opened a criminal investigation into the theft of 21.5 million security clearance files. OPM is still plugging the holes and millions of Federal workers, their families and friends and government contractors are girding for their own losses with information obtained by surreptitious hackers. Although Rep. Gerry Connolly (D-Va.) claimed Tuesday while speaking at a meeting of the Cloud Computing Caucus Advisory Group that information from the theft had been used on at least three occasions in the last several weeks to apply for credit cards in his name, OPM says it has no reports that information has been misused.

“The malware is out of the system,” an OPM security expert said in an interview Wednesday with Meritalk.com. “We discovered the depth of the problem. There were a lot of things we’ve done to increase the protections. It’s always been protected. The breach itself was a method used that was not previously understood.”

The breach of personnel records was discovered in April as a result of new cybersecurity tools OPM had installed. Officials said hackers used stolen contractor logins and passwords. China is believed to be the culprit but the Obama administration has not formally accused Beijing of breaking into the system and absconding with the data.

The hackers were aided by the agency’s single authorization system. Today, OPM has installed a dual authorization system using a Personal Identification Verification (PIV) system mandated by Homeland Security Policy Directive 12 (HSPD-12), the mandatory, governmentwide standard for secure and reliable forms of ID issued by the Federal government to its employees and employees of Federal contractors for access to government facilities and networks.

Tony Busseri, CEO of Route1 Inc., a Canadian company that provides security solutions for mobile devices and whose customers include the Departments of Defense, Energy, and Homeland Security, says OPM failed to put in place proper user authentication procedures to prevent a hacker from getting into its networks.

“Clearly part of that major failure was noncompliance with authentication requirements under Homeland Security Presidential Directive 12,” he says.

“Implementing authentication methods that are compliant with Federal mandates, such as HSPD-12, will mitigate the potential for data breaches. Ultimately, this will save government agencies money, and will help to protect against any litigation, loss of data or damaged reputations stemming from a breach,” Busseri says.

“The OPM data breach has sparked more aggressive efforts for positive change in regards to cybersecurity for the public sector. Many Federal leaders have taken a progressive stance on authentication, are putting the right methodologies in place, and in fact the U.S. government has enacted better security policy than a number of corporate entities,” Busseri says.

Now OPM is on track to meet or exceed all Federal mandates including the Federal Information Security Management Act (FISMA), Cyberstat, the Department of Homeland Security Trusted Internet Connection (TIC) v2, and HSPD-12.

But the OPM security official, who spoke to MeriTalk on condition of anonymity, struck a tone of cautious optimism. “You can shore everything up and still have a break in,” the official said. “Here are some of the agency’s accomplishments, some taken before the break in and others since then.”

1. Implemented Level 4 two factor authentication for all privileged and non-privileged users. The requirement of utilizing PIV for all users has made OPM a leader in complying with the HSPD-12 mandate and significantly reduces the attack surface of the network.
2. Restricted remote access for network administrators and restricted network administration functions that can be performed remotely.
3. Reviewed all connections and associated Access Control Lists (ACLs) to ensure only legitimate business connections  have access to the internet. This includes blocking privileged users access to the internet.
4. Required administrators to authenticate through a privileged user management appliance in order to perform all administrative functions. Direct access to servers or databases cannot be achieved by users or administrators.
5. Deployed new hardware and software tools to secure the network. Including: Endpoint protection to detect and prevent malicious and unauthorized software from installing and running on endpoints and servers.
6. Web Application Firewalls to monitor traffic to and from web applications and prevent common attacks such as DDOS, cross-site scripting, SQL injection, and session hijacking.
7. Endpoint anti-virus/malware scanning to quickly detect and block viruses and malware.
8. Automated threat response to unify, automate, and orchestrate incident responses to ensure speed and decisiveness.
9. Network Access Control to detect and limit unauthorized access from devices that do not meet OPM policy.
10. Business critical data and database compliance by providing visibility into data access and tracking users activity and data sets.
11. Advanced firewall services to better protect and filter network traffic on the internal and external perimeter.
12. Network risk and vulnerability monitoring and assessments to identify areas of weakness in the network architecture.
13. Inbound and outbound SSL inspection to audit and monitor encrypted malicious traffic.
14. Deployed network and email data loss prevention solution to detect data exfiltration.
15. Implemented anti-phishing and anti-malware inspection and prevention of email traffic.
16. Deployed additional firewalls to segment and monitor internal traffic.
17. Implemented continuous monitoring to enhance the ability to identify and respond, in real time or near real time, to cyber threats.
18. Centralized security management and accountability.