UPDATE: Feds Breached Again, Lose 21.5 Million Records
SecurityScorecard Finds Federal Department Had Poor Security Hygiene, Especially in IP Reputation
LATEST UPDATE: The number of people affected by the OPM breach is now over 21.5 million, according to The New York Times.
UPDATE: BloombergBusiness reported the numbers of employee and contractor records stolen could now be up to 14 million. The news organization cites five different unnamed sources in the article. One of the most striking developments included the potential legal effects on third parties. The article states:
One impediment to determining the scope of the attack is that investigators haven’t been able to trace all the threads — especially those leading to private companies — because many businesses are concerned that disclosing a network penetration could expose them to lawsuits, the officials said.
UPDATE: According to Nextgov, OPM is now spending over $20 million on notification services to existing and former Federal employees based on public contract award filings from June 2. The contract was awarded to Winvale, a Washington D.C.-based identity theft and fraud solutions provider.
Uncle Sam’s human resources department is the latest data theft victim. The U.S. Office of Personnel Management (OPM) announced last Thursday that it had discovered a data breach that affected four million Federal employees. Ouch. The breach appears to have began in late last year, according to The New York Times.
The U.S. government was quick to place attribution with China, but many security experts are wary of that kind of attribution given the complex nature of obfuscation and false pathways hackers use to hide their activities. In the last day, news has arrived that this data breach may have also included security clearance information going back as far as 1982.
“SecurityScorecard currently rates OPM a letter grade of ‘C’ for IP Reputation for the presence of malware in their systems,” said Alex Heid, Chief of Research, for SecurityScorecard. “We detected a number of generic malware in the government’s infrastructure from instances appearing in OSINT (open source intelligence) feeds that we use in our platform.”
OPM also rated less than stellar for two other key areas of security hygiene. The government department was rated a ‘B’ for Application Security, and a ‘B’ for DNS Health, which are two of the ten areas of the graded scores in SecurityScorecard’s collaborative platform. OPM runs multiple legacy systems on Microsoft ASP framework using Cold Fusion. The presence of infected malware on numerous IP addresses in OPMs very large, legacy infrastructure made its attack surface a big target.
SecurityScorecard Dashboard Rating of the U.S. Office of Personnel Management
“We don’t know the full story yet, but our hypothesis is that this attack involved social engineering (where employees weren’t adequately trained and gave up credentials), plus the use by attackers of a malware payload to establish a back channel to ex-filtrate the data,” said CEO and Co-founder of SecurityScorecard, Dr. Alex Yampolskiy.
This type of attack on OPM can be used as a jumping off place to attack other organizations after hackers retrieve valuable confidential information. Chris Wysopal, CTO of application security company, Veracode, told CSOonline.com the following about the voluminous breach:
Detection is only effective when there are processes or people who can respond to the alarms. We saw in the Target breach that an intrusion detection system did sound the alarm but it wasn’t acted on. This is a problem with over reliance on detection. It is difficult to weed out real alarms from the noise and have adequate responses.
Detection, among other security investments, is important, but it has its limitations in isolation. In the case of Target, the breach occurred through an application in a partner’s system that was connected to Target. Knowing a partner’s security posture, however, might have gone a long way in Target’s case toward closing the risk loop with that partner before a breach occurred. It might have also helped Uncle Sam.
“Unfortunately, 80% of the budget of most companies today is spent on perimeter or reactive security solutions which don’t stop much of these threats, whereas only 20% of the budget goes towards proactive defenses such as threat intelligence feeds and advanced persistent threat (APT) prevention,” said SecurityScorecard’s Yamploskiy.
The average total cost of a data breach has grown 23% over the last two years, it is now up to $3.79 million per breach, according to a Ponemon Institute report from last month. The average cost of lost business from a breach is now up to $1.57 million.