July 22, 2015 | Written by: John W. Lainhart
Cybersecurity is one of the most important issues facing Government today and with the OPM data breach still fresh, governments officials at all levels are searching for best practice solutions to better secure their systems. Friday, July 10, I participated as a member of the Cyber Industry Expert Panel at the 2015 Annual NACo Tech Summit; where I and other experts in the cyber industry took part in discussions around how to thwart the emerging cybersecurity threat. Some key topics discussed during the panel discussion included the OPM data breach, the 30-day White House Cybersecurity Sprint and how to best protect systems and data. However, the OPM data breach was prominent in our discussions, as it was continuing to be emphasized in press headlines and on everyone’s minds.
The OPM data breach has been a hot topic since it was first disclosed and I believe it will remain as a high-ticket item for quite some time until major improvements in cybersecurity are made. Although we don’t have all of the answers yet, so far the OPM breach has taught us several valuable lessons on how to better protect our data. From the coverage surrounding the OPM breach, it appears there weren’t good controls in place around privileged users and the data was not encrypted. When I was a Federal auditor, one of the first issues I addressed on each audit was assessing the number of privileged users and the encryption of the data. By definition, privileged means “having special rights, advantages, or immunities,” so having more than a handful of privileged users with access to very sensitive data bases, including the security tables, audit logs, system files, infrastructures, information and more, can be devastating to organizations – just look at the Edward Snowden incident. In one particular audit case, I found an organization had over 100 privileged users and after they took immediate action, the number was reduced down to 3; essentially reducing the risk of a breach from 100 to 3. The key takeaway from this is to place adequate controls around privileged users and have supervisors closely monitor their actions. Also, keep all sensitive data encrypted – both data in transit and data at rest – to make this data unreadable, should it be intentionally or accidentally disclosed.
Another issue disclosed about OPM was it was not adequately managing its IT assets and performing timely software patches, which is a cause for huge concern. OPM stated that the systems from which the data was breached were 30 years old, which is probably why no one had bothered to encrypt the data. While I imagine the argument for not encrypting the data was a reluctance to spend money on these aged systems, with opting to instead replace the old systems with more modern systems. This kind of thinking leads to a significant increase of vulnerabilities as the older systems are left as is, (without proper software patches and unencrypted sensitive information), but still remaining wide open for hackers. Application control reviews have not been mentioned for OPM, but I found them very useful and quite necessary as an auditor – for identifying security flaws, interface errors, and erroneous payments – and in most cases, correcting the flaws in the systems were actually paid for with the savings in erroneous payments.
CIOs are often quick to conclude that replacing the systems will be more cost-effective than maintaining the old systems, however, in my experiences the opposite is often true. In one case, we reviewed a legacy on-line ordering system that received and stored credit card data for payments. The organization had kept saying every year that it would modernize the system so instead of encrypting the data, they paid the credit card industry fines for not having the credit card data encrypted. We identified this as a major risk to their reputation if this were ever know by their customers, not to mention their competitors, why would anyone use a system such as this one when their competitors had more secure systems? The CIO was concerned with the cost to encrypt the data but was very surprised at how low the cost actually was to encrypt the data even in this old system. The takeaway from this scenario, is that the cost of ignoring cybersecurity and privacy will be much greater than maintaining proper security controls as we have seen time and time again, not only with the OPM breach. And it should be remembered that OMB started mandating the use of encryption to protect sensitive data starting in June 2006, after the VA data breach.
In addition, OPM has recently promised to expedite the implementation of multi-factor authentication for access to its systems. This is a critical security control and it should be remembered that OMB began mandating such use starting in August 2004 and this could have kept people off the federal systems and prevented them from accessing anything in these systems.
Although we still have a long way to go to discover everything the OPM breach means moving forward with cybersecurity, the lessons learned may be of more value than many realize. So far, the key takeaways organizations should heed are to place adequate controls around privileged users; keep all sensitive data encrypted; manage your assets and keep up to date with software patches and security updates; use multi-factor authentication; perform application controls reviews; and as more details of the breach arise, more lessons will emerge. However simple and straightforward these lessons may be, unfortunately we continue to see more and more organizations fall victim to hacks at every level for failing to follow what seem to be the most basic security controls. My hope is that by bringing awareness to these common cybersecurity issues, we will begin to see more proactive approaches emerge to managing the security and privacy of our data and less about organizations trying to recover from a major breach.
To watch the full Cyber Industry panel presentation from the NACo Tech Summit click here: http://www.naco.org/resources/2015-annual-tech-summit-cyber-industry-expert-panel-%E2%80%93-emerging-threat-landscape