7 cybersecurity questions to expect after the OPM breach
- By David W. Archer
- Jul 30, 2015
The OPM data breach has resulted in considerable “armchair quarterbacking” from government and industry, and already prompted the resignation of OPM Director Katherine Archuleta.
While identifying parties, policies and practices responsible for cybersecurity breaches is an understandable part of the post-mortem process, it is more important to learn from recent events and encourage dialog that may result in sound choices in the future for information assurance in major computer systems.
The depth and breadth of the OPM breach was a punch to the gut that should fuel a round of introspection and questioning, even for agencies with sophisticated cybersecurity programs in place. And to ensure your organization is not next in the limelight for all the wrong reasons, the answers to these questions must be the right ones.
The short list of questions below may help in quickly assessing the security stance of an organization chartered to protect sensitive information. Along with each question is an example answer that would give confidence that a sound security stance is an active priority.
Question #1: What proportion of the systems in your network currently operates with a valid Federal Information Security Management Act authorization? Within the next month, what proportion of those authorizations will expire? The answer to the first question should be 100 percent. For the second, a confident, believable answer is more important than the specific answer provided.
Question #2: Do you have a detailed inventory of all hardware and software in your networks? If so, how often is every system and application in that inventory scanned for the most recent National Vulnerability Database (NVD) vulnerabilities? The answer should be an outright “yes” for the first question. For the second, every few days is reasonable, but every few months is not.
Question #3: Do the security policies you employ assume that adversaries are persistently present in your network? If so, what assets can such an adversary access, and what privilege levels can they attain? An outright “yes” is the right answer for the first question. For the second, a good answer is that such an adversary has no access to sensitive data at rest without additional authentication on a per-dataset basis and has no access to sensitive data in transit without additional per application authentication.
Question #4: How do you score and prioritize vulnerabilities in your network for remediation? What proportion of NVD entries with scores of high or critical by your scoring are your systems vulnerable to today? For the first question, a good practice is the use of the Common Vulnerability Scoring System available through the National Vulnerability Database. This system provides base scores that can then be personalized by taking into account environmental and time-sensitive factors specific to an organization. For the second question, “none” is a good answer, but what's really needed is a confident, quantitative answer that can be verified with supporting data.
Question #5: Do you employ continuous red-team attacks against your own systems as part of your security stance? If so, what proportion of your continuous red-team attacks succeed in accessing sensitive data or systems in your network? What proportion of those successful attacks has been prevented from recurrence by remediating vulnerabilities? “Yes” is the right answer to the first question. For the second, a small percentage is reasonable, but again, knowing the answer is even more important. And for the third, all such successful attacks should cause the organization to remediate the discovered vulnerability.
Question #6: Do you consistently use multifactor authentication technology for all users to authenticate accesses inside your network? If so, is at least one factor time-dependent or challenge-response based? Is at least one factor based on a physical device which, if absent, would be immediately noticed by its owner? Answer a demonstrable “yes” to all three.
Question #7: Is high-grade (AES 256-bit equivalent or better) encryption used consistently to protect sensitive data while stored on your systems? Is high-grade encryption used consistently to protect that data when in transit over your networks? If not, what is your plan, required level of investment and schedule for implementation to use such encryption? “Yes” is the best answer for the first two questions. If it’s not, then the third answer should be specific and believable.
The frequency and sophistication of cyber attacks will continue to grow for both government and industry. Agencies that wait for regulations and mandates to take aggressive action are putting their reputations and the data they protect at risk. Once the above seven key questions have been answered, agencies must turn their attention to taking action. As the first step toward a positive security stance, make a proactive assessment of what can be done to get the following practices into use:
Encrypt all sensitive or personally identifiable data in databases and files, using symmetric 256-bit cipher strength or equivalent, such as AES-256. Encrypt all data transmission using similarly strong encryption using methods such as those offered by the transport layer security suite.
Require multi-factor authentication for access even from inside the organization’s network. At least one factor should be time-variant or based on dynamic challenge-response, and at least one should include a physical item (such as a phone or an RSA-type fob) that would be immediately evident if misplaced by the owner.
Partition networks using technologies such as virtual private networks to isolate distinct business functions and data, requiring distinct credentials for each such network.
Keep a current inventory of what hardware and software is on each network and have positive control over configurations of these assets.
Use the latest threat intelligence continuously and proactively to scan for and identify existing vulnerabilities. Then prioritize those vulnerabilites and patch them.
Continuously operate a “red team” to perform penetration and other testing aimed at detecting unknown vulnerabilities in application software, middleware and back-end applications.
Use quantitative metrics to augment checklist-based compliance to security requirements, using metrics that measure unpatched vulnerabilities, red-team penetration success, anomalies in inventories and changes in network traffic.
Data breaches, whether small or large, do not indicate an organization lacks a priority on cybersecurity. OPM, for example, has been in the process of aggressively improving its cybersecurity posture since 2013. As recently as May, the agency launched a comprehensive review of its cybersecurity systems, releasing a report outlining 15 steps to improve its security.
That said, a strong cybersecurity stance requires difficult tradeoffs in resource allocation – tradeoffs that can contribute to massive data breaches and may be out of balance when considered in the context of current and expected future cyber threats. Asking the right questions and having the right answers will be useful to organizational leaders as they engage in dialog about balance in their security stance, so that incidents such as the OPM data breach and others that occur more frequently each year can be avoided.
David W. Archer is principal scientist, cryptography & multiparty computation, at Galois.