Security industry experts are beginning to react to today’s news of the massive data breach at the U.S. Office of Personnel Management. Here are some initial comments –
Mark Bower, Global Director – Product Management, HP Security Voltage (www.voltage.com):
“Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing to yield access to deeper system access, via credentials or malware thus accessing more sensitive data repositories as a consequence.
These attacks, now common, bypass classic perimeter defenses and data-at-rest security and can only realistically be neutralized with more contemporary data-centric security technologies adopted already by the leaders on the private sector.
Detection is too late. Prevention is possible today through data de-identification technology.
So why is this attack significant? Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data which appears to be in the mix. Thus, it’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft.”
Richard Blech, CEO, Secure Channels (www.securechannels.com):
“This breach should give all citizens massive concern.
OPM seems a tad blasé about this breach stating that ‘OPM, using new tools, discovered the breach in April, said officials at the agency who declined to comment on who was behind the hack.’
The new tools cannot be very good if it takes four months to find out you have been breached. The speed and velocity that stolen data proliferates through the hacker black market means that said data has already been exploited. The higher valued data that is held by OPM should have all been deeply encrypted. Their new tools that are detecting and alerting mean nothing if the data is still stolen. The goal is to leave data useless to the hacker when stolen.
Congratulations, four months later and your state of the art technology has notified you that security and protection has been treated as an after the fact afterthought.”
Igor Baikalov, Chief Scientist, Securonix (www.securonix.com):
“The Annual Hackathon at the Office of Personnel Management is on, and for the second year in a row, Chinese hackers seem to be in the lead, according to federal officials.
Just like a year ago, the breach at OPM was discovered in the spring, announced in the summer, but apparently was going on since earlier winter. Just like a year ago, DHS Einstein identified the hack, although this time it took over 4 million records to get noticed – apparently, even automated intrusion detection system suffers from breach fatigue. Just like a year ago, the agency is working aggressively to assess the impact, to notify and offer credit monitoring to millions of victims, and to continue ‘protecting our federal employee data from malicious cyberincidents.’
The only difference from last year is that now the Pentagon has a new cyber strategy that specifically calls out retaliation as a viable cyber option not only in response to an attack, but also as a principal factor of deterrence. Are we ready to explore it?”