Skip navigation

OPM Security Audit: No Two-Factor Authentication

As the NYTimes.com reported, the Office of Personnel Management (OPM) completed a security audit in November of last year - but not before they were breached by attackers, putting four million personal data records at risk.

Instead of who did it, the discussion should be more like: What can we learn from their mistakes to help us protect our data and users from a similar attack?

OPM Audit Report

To find out how, I read the report that evaluated OPM’s security program against the Depart. of Homeland Security’s Federal Information Security Management Act (FISMA) guidelines. Here’s a summary of their findings:

Unqualified InfoSec Personnel

The OPM’s infosec system was managed by Designated Security Officers (DSO) that weren’t certified IT security professionals and were performing DSO duties in addition to their full-time jobs. Despite updating to new IT security and privacy policies, the DSOs just weren’t qualified to implement those policies.

Overall, a decentralized governance structure is to blame for their noncompliance with FISMA, according to the OPM - infosec personnel didn’t report to the Chief Information Security Officer (CISO) and they didn’t employ experienced infosec professionals to manage their security.

Operating Without Authorization

Of the 21 OPM systems due for reauthorization, 11 weren’t completed on time and were operating without a valid authorization - including systems at the following offices:

  • The Office of the Chief Information Office (CIO)
  • Federal Investigative Services
  • Human Resources Solutions
  • Office of the Inspector General
  • Office of the Chief Financial Officer (CFO)

Those are some of the most critical and sensitive applications owned by the agency, according to the report.

But what is authorization, in this context? According to the Appendix III to OMB Circular No. A-130: management authorization should be based on an assessment of management, operational and technical controls - that is, an application security plan developed and customized for each specific application used by the OPM.

So, while incredibly nonspecific and subjective, the OPM still failed to reauthorize more than half of their systems per application security policy.

No Operating Platform Configuration Baselines

The OPM ran servers and workstations on several operating platforms (do they mean operating systems?) that didn’t have documented/approved baselines for configuration.

That means that the scanning tools that the Office of the Chief Information Officer (OCIO) uses to conduct compliance audits had no baseline to compare against. Why the baselines must be created by the OPM and not the OCIO is not immediately clear.

Vulnerability Scanning? Who Knows

The report stated the auditors were unable to obtain tangible evidence that vulnerability scans were routinely conducted on all of OPM’s servers in 2014.

No Insight, No Inventory

The report also found that OPM doesn’t maintain an accurate centralized inventory of all of their servers, databases or network devices that reside within the network. Without insight into this basic data, it’s pretty hard to ensure OPM data is secured.

Untimely Patch Management

Although the OCIO applies operating system patches on all devices within OPM’s network weekly, and uses a third-party patching software management program to update the software, they still found, via scans, that numerous servers were not patched on a timely basis.

Timely patch management is crucial to keeping systems protected from known vulnerabilities.

Poorly Configured SIEM

Although the OPM owns a security information and event management (SIEM) tool that can detect, analyze and correlate security incidents over time, it wasn’t configured to receive data from 20 percent of major OPM information systems.

The report also stated that OPM systems were over-reporting log and event data, resulting in too much data for their security analysts to review. Plus, there was a high volume of false-positives that created a backlog and delay in identifying real incidents.

No PIV Authentication

While over 95 percent of OPM workstations require PIV (Personal Identity Verification) authentication to access the OPM network, none of the agency’s 47 major apps require PIV authentication. PIV is a type of government-issued smart card.

No Two-Factor Authentication

According to the NYTimes.com, in an interview, OPM’s Chief Information Officer (CIO) Donna Seymour said that installing two-factor authentication (multi-factor authentication) in the government’s ‘antiquated environment’ was difficult and very time-consuming.

The agency now plans to install two-factor authentication across its network. OPM is not alone, as many other large companies have turned to the technology after a breach, including Bitly and Evernote. Even Apple added the feature to iCloud accounts and AppleID after mass celebrity account attacks that leaked private data.

More recently, Apple released iOS 9 with security enhancements, including two-factor authentication built into the operating system. According to Naked Security, Apple agrees that “a password alone is not always enough to keep your account secure.”

Also recently, social sharing app Snapchat added the ability to enable two-factor authentication, with the ability to create a recovery code in the event that you lose or break your phone. Protecting administrative and other user accounts is a key investment, for good reason - 95 percent of security incidents involve harvesting credentials stolen from customer devices, then logging into web apps with them, according to the 2015 Verizon Data Breach Investigations Report (DBIR).

Two-Factor Authentication Evaluation Guide However, some legacy two-factor authentication solutions may be more difficult than others to install, deploy, maintain and upgrade due to the reliance on tokens. A cloud-based two-factor solution allows you to quickly and easily deploy the solution to your users via a mobile app - no hardware or software installation required.

All security updates are automatically applied to the solution by the two-factor provider, with infrastructure maintained and operated by audited hosting providers, making it easier for organizations to integrate the solution with their existing applications.

Learn more about different two-factor authentication solutions in our Two-Factor Authentication Evaluation Guide.

Ultimately, the security report found that OPM had not undergone an adequate security controls test in more than eight years - which is more than enough time for new vulnerabilities to pop up and for breaches to go unnoticed. Don’t wait that long to take a look at your own company’s security controls in order to avoid a preventable breach.

Thu Pham

Information Security Journalist

@Thu_Duo

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.