OPM Chastised for Lack of Security Analytics: “Breach Easily Preventable”

The OPM breach of 2014/2015, the largest government cybersecurity breach in history, was easily preventable. That’s according to a report released by The House Committee on Oversight and Government Reform published on September 7th, 2016.

The report, titled: “How the Government Jeopardized Our National Security for More than a Generation” urges federal CIOs to act:

“The loss of personally identifiable information (PII) is deeply troubling and citizens deserve greater protection from their government. Further, the damage done by the loss of the background information and fingerprint data will harm counterintelligence efforts for at least a generation to come.”

Here are the key findings of the report:

• The lax state of OPM’s information security left the agency’s systems exposed. Leaders failed to recognize the extent of the threat of reported breach in 2014, allowing the actors to continue an uninterrupted path and remove materials that provided a roadmap to the OPM IT environment in 2015.

• The exfiltration of security clearance files could have been prevented. Implementation of two-factor authentication for remote logons would have precluded access to sensitive information. Furthermore, if preventative network monitoring tools had been implemented prior to the breach, the intruder may have been detected and stopped. The hacker(s) had been in the system since the spring of 2014 but it wasn’t until April 2015 that OPM first identified any indicators of compromise.

This is in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems,” said the report.

• OPM misled Congress and the public to diminish the damage. The agency failed to announce the 2014 breach, and claimed the two attacks weren’t coordinated.

According to the report, OPM’s leadership failed to “implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warning from the Inspector General… tools were available that could have prevented the breaches…

Security Analytics Could Have Prevented Severity of Attack

More recently, Federal CTO at Symantec + Blue Coat, Aubrey Merchant-Dest, outlined how robust security analytics might have mitigated the OPM attack.  Writing from Homeland Security Today, Merchant-Dest commented:

“With a more robust security analytics toolset, OPM’s IT staff would likely have spotted the second hacker, who used the credential of an OPM contractor to gain access. While the hacker had a legitimate credential, a security analytics tool could have identified that person’s unusual behavior on the network, and reported it to the proper channels for review.”

Read the entire findings of the Committee’s report.