Chuck Leaver – What CISO’s Can Learn From OPM Data Breach Review

Written by Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Cyber attacks, attributed to the Chinese government, had breached sensitive workers databases and taken data of over twenty two million present, previous, and potential U.S. government employees and family members. Stern cautions were disregarded from the Office of the Inspector General (OIG) to shut down systems without existing security authorization.

Presciently, the OIG particularly cautioned that failure to close down the unauthorized systems brought national security implications. Like the Titanic’s doomed captain who kept flank speed through an iceberg field, the OPM responded,

” We concur that it is necessary to keep up-to-date and legitimate ATO’s for all systems but do not believe that this condition rises to the level of a Material Weakness.”

Additionally the OPM worried that closing down those systems would suggest a lapse in retirement and worker benefits and paychecks. Offered a choice in between a security lapse and an operational lapse, the OPM opted to run insecurely and were pwned.

Then director, Katherine Archuleta, resigned her office in July 2015, a day after revealing that the scope of the breach vastly went beyond original assessments.

Despite this high value information maintained by OPM, the agency cannot focus on cyber security and sufficiently secure high worth data.

Exactly what are the Lessons for CISO’s?

Reasonable CISO’s will wish to prevent professional immolation in an enormous flaming data breach catastrophe, so let’s quickly evaluate the crucial lessons from the Congressional report executive summary.

Focus on Cyber Security Commensurate with Asset Worth

Have an effective organizational management structure to carry out risk appropriate IT security policies. Persistent absence of compliance with security best practices and lagging suggestion implementation timelines are signs of organizational failure and administrative atherosclerosis. Shake up the organization or prepare your post breach panel grilling prior to the inquisitors.

Don’t Tolerate a Complacent State of Information Security

Have the required tracking in place to maintain critical situational awareness, leave no observation gaps. Do not fail to understand the scope or extent or gravity of cyber attack indications. Assume if you determine attack indications, there are other indicators you are missing out on. While OPM was forensically monitoring one attack avenue, another parallel attack went unobserved. When OPM did do something about it the cyber attackers understood which attack had actually been found and which attack was still successful, rather valuable intelligence to the opponent.

Mandate Fundamental Needed Security Tools and Quickly Deploy Cutting Edge Security Tools

OPM was incredibly negligent in deploying mandated multi-factor authentication for privileged accounts and didn’t deploy readily available security technology that might have avoided or mitigated exfiltration of their most valuable security background examination files.

For privileged data or control access authentication, the phrase “password safeguarded” has actually been an oxymoron for years – passwords are not protection, they are an invitation to compromise. In addition to adequate authentication strength, total network tracking and visibility is needed for prevention of sensitive data exfiltration. The Congressional investigation blamed careless cyber hygiene and insufficient system traffic visibility for the enemies’ consistent existence in OPM networks.

Don’t Fail to Escalate the Alarm When Your Critically Delicate Data Is Under Attack

In the OPM breach, observed attack activity “ought to have sounded a high level multi agency national security alarm that an advanced, consistent actor was looking to gain access to OPM’s highest value data.” Instead, nothing of consequence was done “until after the agency was significantly compromised, and until after the agency’s most sensitive info was lost to wicked actors.” As a CISO, sound that alarm in time (or rehearse your panel appearance face).

Finally, do not let this be stated of your organization security posture:

The Committee obtained documentation and testimony showing OPM’s info security posture was undermined by a woefully unsecured IT environment, internal politics and administration, and inappropriate top priorities related to the release of security tools that slowed crucial security choices.


No Responses Yet to “Chuck Leaver – What CISO’s Can Learn From OPM Data Breach Review”

Leave a Reply