What Really Happened In The OPM Breach

By   ISBuzz Team
Writer , Information Security Buzz | Oct 25, 2016 09:10 am PST

In April 2015, 21.5 million Americans were affected by the breach of the Office of Personnel Management’s (OPM) systems which exposed over four million records of current and former government employees. But how did this happen? What can we learn from this when it comes to strengthening access security?

According to the Committee on Oversight and Government Reform, there were five fundamental failures that contributed to the breach:

  • The OPM failed to prioritise funding for cyber security; its $7 million security budget put them last when compared to other agencies.
  • It lacked the effective leadership and managerial structure to implement reliable IT security policies.
  • The OPM failed to implement critical basic security measures such as two-factor authentication.
  • The network was ‘insecurely architected’ and running a significant amount of legacy infrastructure.
  • The agency and its IT security programme struggled to meet many of the FISMA (Federal Information Security Management Act) compliance requirements.

Weak Authentication

According to the report, the OPM had one of the weakest authentication profiles in 2014, with only 1% of user accounts requiring any form of personal identity verification. It also failed to meet the longstanding requirement to use multi-factor authentication for all employees and contractors logging on to the network.

According to an interview in the NYTimes, OPM’s CIO said that installing two-factor authentication in the government’s ‘antiquated environment’ was difficult and very time-consuming. However, the agency does now plan to install two-factor authentication across its network following the testimony of the Department of Human Services (DHS) stating that two-factor authentication for remote logins would have precluded continued access by the intruder into the OPM.

Ultimately, the lax state of OPM’s information security left the agency’s systems exposed for any experienced hacker to infiltrate and compromise.

What Happened Next

A third party reported data exfiltration from OPM’s network, followed by OPM monitoring the attackers over two months and allowing them to remove manuals and other sensitive material. This was Hacker 1. Hacker 2 used third party credentials to log into the system, install malware and create a backdoor to the network, all whilst OPM and the DHS worked together to ensure Hacker 1 didn’t get access to their security clearance background information. However, after using the third party’s credentials for initial entry, the attacker obtained Windows domain administrator credentials to maintain persistence from malware. This allowed Hacker 2 to access and steal the security clearance files, personnel records, and eventually 5.6 million fingerprint records.

Mitigating Risks With Trusted Access

Built-in security, designed with users and clearly defined trusted access can help prevent breaches before they happen. That is, a holistic access security solution that is easy to use and deploy, with minimal maintenance and setup required. This can be done by verifying the identity of users and the security health of their devices before they connect to any applications – this is known as Trusted Access.

To ensure Trusted Users, use two-factor authentication to verify users’ identities. Two-factor authentication has made great strides since the days of hard tokens with some now providing one tap authentication via smartphones. Users enter their username and password, approve the login request using their mobile phone with the push of a button and can then gain secure access to the application. The key is ease of use so that users don’t feel hampered by cumbersome processes. This frictionless approach to two-factor authentication, paired with trusted devices using the latest operating systems can ensure protection for every application.