Last week we learned about the latest crippling cyber attack to hit a large organisation - this time it was the US Office of Personnel Management, the agency responsible for managing the personnel records and security clearance details for millions of current and past US government employees.
The US government said the breach had enabled attackers to make off with approximately four million recrods, but other sources say it could actually have been as many as 14 million records, many of which are highly sensitive.
The data that was stolen includes highly sensitive background checks pertaining to CIA agents, NSA staffers and military personnel.
According to the Associated Press, "the forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, arrests and bankruptcies".
Looking at the form, it doesn’t take a lot of imagination to see how useful it would be for an attacker. Each one of these forms amounts to no less than a social engineering and targeting handbook, with all the information attackers would need to plan and execute an espionage campaign.
What caught my eye amongst all of this mess was that the US government’s specialist intrusion detection system (IDS) - known as Einstein and developed by the US-CERT - which is specifically deployed in gateways to thwart this sort of data exfiltration had failed to discover the attack until it was far too late.
How could that have happened with such critical technology? Was Einstein at fault, or did it not have enough information to do its job right? Further research shows that the latter seems to be the answer.
For many years the OPM has struggled with cyber security, being the focus of repeated internal audits that discovered it was severely lacking in IT security people, processes and technology.
In fact, as recent as 2013, the OPM didn’t have a single information security professional on the payroll and the OPM Inspector General’s office reported its security practices as being a “material weakness”.
In April 2015, the US-CERT used Einstein to uncover a potential breach of personally identifiable information (PII), to which it sent a team of investigators to see who and what had been affected. It was then it discovered that the OPM had been hit.
Considering this an historic incident, it updated the Einstein IDS with new signatures that detected the kind of attack the US-CERT had discovered, and it was only then it found the issue was ongoing. As soon as Einstein was updated to look for the historic signature, it lit up like a Christmas tree.
Nevertheless, the current version of Einstein did not stop the attack because it is simply a detection suite rather than a prevention system. The next version of Einstein should have the ability to do attack prevention, but for now it’s only as good as the information it’s given for stopping attacks that the US-CERT has seen before.
Look for the chinks in your armour
What lessons can we learn from this whole debacle?
We need to consider where the chinks in our armour are and patch them, ensuring we don’t put our heads in the sand and hope for the best. You need to also make sure you don’t just rely on technology, because your people and your processes are as equally important.
Security awareness, auditing and internal alerting, monitoring of access control, and penetration testing of your systems, are all aspects of cyber security you need to employ if you are to understand how much risk you are carrying.
Einstein is just one piece of the cyber security puzzle the US needs to solve if it is to protect its virtual city walls.
However, now its personnel records have gone walkabout, the cogs of the foreign intelligence machinery can start turning and more traditional forms of espionage may well follow with devastating consequences.
A parting thought of how hard might it be for this kind of thing to happen here in Australia? Take a deep breath and read this: “Govt vetting system failing despite $37m upgrades".