If feds can’t keep data safe, who can?

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

The U.S. Office of Per­son­nel Man­age­ment late Thurs­day dis­closed that hack­ers com­pro­mised what one would expect to be among the world’s most secure data­bas­es to steal sen­si­tive infor­ma­tion relat­ing to some 4 mil­lion cur­rent and for­mer employees.

With­out divulging specifics, author­i­ties are point­ing the fin­ger at Chi­na, accord­ing to media reports. The FBI has launched an offi­cial probe.

Mali­cious activ­i­ty was detect­ed in April, and the Depart­ment of Home­land Secu­ri­ty affirmed last month that OPM’s data, which is stored in a shared facil­i­ty at the Depart­ment of Interior’s data cen­ter, was compromised.

Anoth­er day, anoth­er breach

Two big take­aways jump out of this lat­est high-vis­i­bil­i­ty data breach disclosure.

First, the scale and scope of breach­es has risen to a pitch where dis­clos­ing 4 mil­lion vic­tims seems almost rou­tine. In the grand­dad­dy (thus far) of data breach­es, Tar­get report­ed los­ing finan­cial trans­ac­tions records for 110 mil­lion cus­tomers in 2014, fol­lowed by Home Depot, which saw data from 56 mil­lion cred­it and deb­it cards exposed. This year, health insur­ance com­pa­nies appear to be under heavy assault, with Anthem los­ing records for 80 mil­lion employ­ees, cus­tomers and part­ners, and Pre­mera Blue Cross los­ing records for 11 mil­lion people.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Still, these lat­est vic­tims aren’t 4 mil­lion gar­den-vari­ety con­sumers. They’re fed­er­al employ­ees, includ­ing some with high secu­ri­ty clear­ances.  If the attack was moti­vat­ed by nation-state cyber war­fare imper­a­tives, the col­lat­er­al dam­age could be pro­found and lasting.

This will call into ques­tion every gov­ern­ment employ­ee, since this infor­ma­tion can be used by nation states and ter­ror­ists to iden­ti­fy and tar­get those employ­ees in order to gain access to sen­si­tive envi­ron­ments and data,” observes Eric Chiu, co-founder and pres­i­dent of cloud-secu­ri­ty ven­dor HyTrust.

Kevin Epstein, vice pres­i­dent of advanced secu­ri­ty and gov­er­nance at Proof­point, adds that sim­ply hav­ing a cur­rent ros­ter and know­ing the chain of com­mand in a fed­er­al agency is of high val­ue to social-engi­neer­ing specialists.

It pro­vides attack­ers with addi­tion­al lever­age to fur­ther pen­e­trate tar­get­ed orga­ni­za­tions,” Epstein says. “Phish­ing that comes from autho­rized man­agers and con­tains pri­vate details to legit­imize the com­mu­ni­ca­tion is far more like­ly to suc­ceed in trick­ing the recip­i­ent into enabling mal­ware or reveal­ing pro­pri­etary information.”

Who­ev­er stole the data is now in a great posi­tion to con­duct cross-agency attacks, says Mark Bow­er, prod­uct man­age­ment glob­al direc­tor at HP Secu­ri­ty Volt­age.

It’s like­ly this attack is less about mon­ey and more about gain­ing deep­er access to oth­er sys­tems and agen­cies, which might even be defense or mil­i­tary data, future eco­nom­ic-strat­e­gy data, for­eign polit­i­cal strat­e­gy, and sen­si­tive assets of inter­est at a nation-state lev­el,” Bow­er says.

If feds can’t keep data safe, who can?

The sec­ond big take­away is that if Uncle Sam’s human resource hon­chos can’t keep data thieves at bay, what chance do tens of thou­sands of small and mid­size com­pa­nies have to defend the small, but valu­able, caches of data they each possess?

Along with the finan­cial-ser­vices sec­tor, big fed­er­al agen­cies have been in the van­guard of test­ing and buy­ing the lat­est secu­ri­ty tech­nolo­gies. Yet, in hack after major hack, the same lessons man­i­fest. Tech­nol­o­gy alone isn’t the answer. A secu­ri­ty mind­set must per­me­ate an orga­ni­za­tion from top to bot­tom. And that approach remains the excep­tion, not the rule, in both the pri­vate and pub­lic sectors.

Free IDT911 white paper: Breach, Pri­va­cy, And  Cyber Cov­er­ages: Fact And Fiction

Small and mid­size busi­ness­es are under intense attack. Cyber crim­i­nals can run auto­mat­ed attacks car­ried out by tens of thou­sands of infect­ed com­put­ers assem­bled in pow­er­ful bot­net armies.

Since the intru­sion, OPM has beefed up its net­work secu­ri­ty. But the hack­ers will like­ly adjust. OPM had pre­vi­ous­ly been the vic­tim of a cyber­at­tack, as have var­i­ous fed­er­al gov­ern­ment com­put­er sys­tems at the State Depart­ment, the U.S. Postal Ser­vice and the White House.

Mean­while, OPM will offer cred­it-mon­i­tor­ing and iden­ti­ty-theft ser­vices to the 4 mil­lion peo­ple affected.

This breach should give all cit­i­zens mas­sive con­cern,” says Richard Blech, CEO of encryp­tion tech­nol­o­gy ven­dor Secure Chan­nels.The speed and veloc­i­ty with which stolen data pro­lif­er­ates through the hack­er black mar­ket means this data like­ly has already been exploit­ed. New detect­ing and alert­ing tools mean noth­ing if the data is still stolen. The goal should be to leave data use­less to the hack­er when stolen.”

5 data pro­tec­tion tips for SMBs

What SMBs need to know about CISOs

Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era


Posted in Breaking news, Data Security