Not for the first time in the past twelve months the United States Office of Personnel Management (OPM), an independent government agency that manages the civil service, announced 21.5 million background check records were compromised in a security breach, along with 1.1 million fingerprints and 1.8 million social security records, and applicant usernames and passwords.
In July 2014 the OPM traced a breach of its systems originating from China back to March that year, which resulted in a report detailing that OPM failed to:
- keep an inventory of servers, databases and IT infrastructure devices
- implement multi-factor authentication
- maintain a vulnerability detection program
We also know that social security numbers were not encrypted, although OPM CIO Donna Seymour has been quoted as saying that it’s difficult or impossible to secure some of the agency’s legacy COBOL systems, which are more than 25 years old.
While we still don’t know the exact details of how OPM’s systems were compromised in the most recent incident, it’s clear that with the basic information and timeline of events available, that following best practices that might have prevented, or at least limited the severity of the breaches.
Authentication and configuration management controls
As noted by Michael Esser, OPM’s Assistant Inspector General for Audits, the agency’s poor authentication and configuration management controls helped contribute to the failure to adequately secure personal data. Any system that processes or stores high risk data should be protected by multi-factor authentication, which is not only a basic defense-in-depth strategy, but a necessity considering the general weaknesses associated with passwords.
Change and configuration management processes are also vital, but technology can lend a helping hand, such as monitoring changes made to IT systems by checking the system event logs. Furthermore, attention should be paid to how privileges are assigned. Least privilege security, where users are assigned only the privileges required to carry out their assigned responsibilities, plays an important role in securing systems and ensuring that change management policies are adhered to.
Protect assets as if networks are compromised
From the information we have about the original OPM breach in 2014, it’s clear that the agency’s systems had been compromised for some time before the breach was discovered. Again, proper monitoring of IT systems plays a vital role in uncovering breaches early. But it should be assumed that not every compromise can be revealed swiftly, especially considering the increasing sophistication of attacks.
Once more, least privilege security and multi-factor authentication play a crucial role in providing additional protection for systems that might already be compromised. Privileged domain user accounts are a valuable asset, and should not be used on devices where the risk of compromise is high, such as end-user workstations.
Netwrix Auditor goes beyond collecting and reporting on event log data, also monitoring changes that are not displayed in the system logs, and gives additional information that can help pinpoint security breaches or unauthorized configuration changes quickly.