What Really Happened in the OPM Breach
About 21.5 million Americans were impacted by the breach of the Office of Personnel Management’s (OPM) systems in April 2015 - the attack also exposed over four million records for current and former government employees, including the Department of Defense.
How it all went down can be found in a 241-page Majority Staff Report released last week that includes timelines and specific details on what led to the breach. Here’s the most important parts I gleaned:
Fundamental Failures Led to the OPM Breach
The Committee on Oversight and Government Reform that released this report intended to provide valuable information for current and future CIOs and other agency heads, found a few overarching fundamental failures that led to the breach:
- The OPM failed to prioritize funding for cyber security. Their $7 million security budget put them last compared to all other agencies.
- They lacked effective leadership and managerial structure to implement reliable IT security policies
- The OPM failed to implement critical basic security measures, like two-factor authentication
- Their network was “insecurely architected” and running “a significant amount of legacy infrastructure”
- Finally, the agency and their IT security program struggled to meet many FISMA compliance requirements
Weak Authentication & Sloppy Cyber Hygiene
According to the report, the OPM had one of the weakest authentication profiles in 2014, with only 1% of user accounts requiring personal identity verification (PIV) cards for access. They also failed to implement the longstanding requirement to use multi-factor authentication for all employees and contractors that log onto their network.
The Department of Human Services (DHS) testified that two-factor authentication for remote logins would have precluded continued access by the intruder into the OPM network. Ultimately, the report stated that the “lax state of OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise.”
The agency was accused of “sloppy cyber hygiene,” which resulted in leaving OPM with reduced visibility into the traffic on its systems, affecting their ability to have insight into what happened after the fact.
The Diversion & Third-Party Credentials
A third party reported data exfiltration from OPM’s network. OPM monitored the attackers over two months, allowing them to remove manuals and other sensitive materials that gave them a roadmap to the OPM IT environment/key users that could be used for a compromise.
That was Hacker 1. Hacker 2 used KeyPoint (the third party) OPM credentials to log into the OPM system, install malware (Hikit) and create a backdoor to the network. Hacker 2 went undetected as OPM and the DHS worked together to ensure Hacker 1 didn’t get access to their security clearance background information.
After using the third party’s credentials for initial entry, the attacker obtained Windows domain administrator credentials to maintain persistence from malware. This allowed Hacker 2 to access and steal the security clearance files, personnel records, and eventually 5.6 million fingerprint records.
Within the breach timeline, there were several events in which lookalike domain names were registered, including “opmsecurity.org” and “opmlearning.org;” each respectively registered to Steve Rogers (Captain America) and Tony Stark (Iron Man). These domains were used for command and control servers and data exfiltration.
There’s a bunch of other weird stuff too, like OPM supposedly not paying one of its contractors that did forensic support and detected malware on their systems, and destroying more than 11k files and directories on their device before returning it to the vendor.
They also misled Congress and the public by not disclaiming the 2014/Hacker 1 breach, suggesting that the two breaches were not related. Plus a bunch of other lies from OPM officials under oath, and the resignations of officials before they could testify. Bit of a mess.
Security Recommendations from the White House
These are several security recommendations made in the document, but there are a few that I’d like to highlight that could be applicable to any organization that wants to establish a strong information security program:
Shift Efforts Toward a Zero Trust Model
Securing large and high-value data repositories are difficult when defenses are geared toward perimeter defenses, according to the report. But in this case (and in so many others), the attackers used legitimate credentials to elevate their privileges and access data within the perimeter.
The recommendation of “zero trust” centers on the concept that users inside a network are no more trustworthy than users outside a network. They recommend a few security measures:
- Limited access for all users
- Use tools to visualize and log all network traffic
- Implement and enforce strong access controls for all employees and contractors that access gov networks and applications
Eliminate Information Security Roadblocks
Agencies should make every effort to streamline processes and prioritize security. While the process of deploying security tools can be cumbersome, the recommendation is to ensure that they’re not tied up by any bureaucratic hurdles that allow them to secure their IT networks.
Although this recommendation refers primarily to red tape, the US-CERT also reported that it wasn’t uncommon for existing security policies to be circumvented to execute business functions. Another important aspect of eliminating a security roadblock involves ensuring your solutions are easy to use by your users - thus, ensuring they will actually use it and not try to bypass it.
Modernize Existing Legacy Federal IT Assets
While federal agencies (and many organizations) spend the majority of their annual IT budget ($89 billion) on maintaining and operating legacy IT systems, the recommendation is to move away from relying on legacy IT that can result in exposure to security vulnerabilities in old software or operating systems that are no longer supported by vendors.
Mitigating Risks With Trusted Access
At Duo, we believe in built-in security, designed for people, that can prevent a breach before it happens. That is, a holistic access security solution that is easy to use and deploy, with minimal maintenance and setup required. We do that by verifying the identity of users and the security health of their devices before they connect the applications you want them to access.
We ensure Trusted Users with our frictionless two-factor authentication solution and Trusted Devices with our features that provide insight into out-of-date devices - these pair together with custom user and device policies and controls to ensure protection for Every Application.
Learn more in What is Trusted Access?