Cybersecurity Sprint: Federal CIO Orders ‘Dramatic Increase’ in Use of Two-Factor Authentication
In response to the OPM hack that leaked four million records of personal data (and potentially more information, including classified employee security clearance data), the U.S. Chief Information Officer (CIO) launched a 30-day Cybersecurity Sprint, another name for the baseline security requirements that every federal agency must take steps toward implementing in the next thirty days.
These are security basics - and the fact that they are highlighted in this ‘cybersecurity sprint’ has elicited some rather snarky headlines, such as “US mega-hack: White House orders govt IT to do what it should have done in the first place” with a subhead of “No, you’re not reading The Onion.” The snark is understandable, as it’s somewhat alarming that these practices weren’t already standard among federal agencies.
The memo orders agencies to report their progress on the following after 30 days:
- Scan systems and check log files for any indicators of malicious activity
- Patch critical vulnerabilities without delay
- Tighten policies and practices for privileged users, such as:
- Minimize the number of privileged users
- Limit functionality of privileged accounts
- Limit duration that privileged users can be logged in
- Limit functions that can be performed via remote access
- Ensure privileged activity is logged, and logs are reviewed regularly
- Dramatically increase implementation of multi-factor authentication (also known as two-factor authentication), especially for privileged users
- Including the use of Personal Identity Verification (PIV) card or alternative form of multi-factor authentication
The memo recognizes that “intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems, and data.”
The OPM testimony in front of the House Oversight and Government Reform Committee revealed that the agency had not encrypted data on its networks due to the fact that it was “not feasible to implement on networks that are too old.” The same excuse was given for the lack of two-factor authentication - OPM stated that their systems were written in COBOL (common business-oriented language), and that implementing two factor would require full code rewrite.
An article on arstechnica.com points out that encryption likely wouldn’t have mattered in this case, due to the fact that attackers had gained access to valid user credentials. They also pointed out that the lack of multi-factor authentication on these systems also gave them free rein.
Worse yet, OPM has been sending email notices to federal employees, asking them to click on a link a private contractor’s website to sign up for credit monitoring - pretty much a no-no when it comes to best security practices and phishing awareness.
Even Anthem, one of the largest health insurers was cautious enough to avoid sending emails with links in them. In their FAQ, they warn against clicking links and entering personal information into forms. This was important as there were cases of phishing emails targeting Anthem customers, with links to fake credit card protection websites.
The Dept. of Defense (DoD) recognized this error and posted a notice to DoD personnel stating that notification has been suspended until “an improved, more secure notification and response process can be put in place…”
A timeline of the breach, include security incidents involving contractors, can be found on Nextgov.com.