7 cybersecurity questions to expect after the OPM breach

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By David W. Archer
 

Connecting state and local government leaders

By David W. Archer

|

To ensure your organization is not next in the limelight for all the wrong reasons, the answers to these questions better be the right ones.

The OPM data breach has resulted in considerable “armchair quarterbacking” from government and industry, and already prompted the resignation of OPM Director Katherine Archuleta.

While identifying parties, policies and practices responsible for cybersecurity breaches is an understandable part of the post-mortem process, it is more important to learn from recent events and encourage dialog that may result in sound choices in the future for information assurance in major computer systems.

The depth and breadth of the OPM breach was a punch to the gut that should fuel a round of introspection and questioning, even for agencies with sophisticated cybersecurity programs in place. And to ensure your organization is not next in the limelight for all the wrong reasons, the answers to these questions must be the right ones.

The short list of questions below may help in quickly assessing the security stance of an organization chartered to protect sensitive information. Along with each question is an example answer that would give confidence that a sound security stance is an active priority.

Question #1: What proportion of the systems in your network currently operates with a valid Federal Information Security Management Act authorization? Within the next month, what proportion of those authorizations will expire? The answer to the first question should be 100 percent. For the second, a confident, believable answer is more important than the specific answer provided.

Question #2: Do you have a detailed inventory of all hardware and software in your networks? If so, how often is every system and application in that inventory scanned for the most recent National Vulnerability Database (NVD) vulnerabilities? The answer should be an outright “yes” for the first question. For the second, every few days is reasonable, but every few months is not.

Question #3: Do the security policies you employ assume that adversaries are persistently present in your network? If so, what assets can such an adversary access, and what privilege levels can they attain? An outright “yes” is the right answer for the first question. For the second, a good answer is that such an adversary has no access to sensitive data at rest without additional authentication on a per-dataset basis and has no access to sensitive data in transit without additional per application authentication.

Question #4: How do you score and prioritize vulnerabilities in your network for remediation? What proportion of NVD entries with scores of high or critical by your scoring are your systems vulnerable to today? For the first question, a good practice is the use of the Common Vulnerability Scoring System available through the National Vulnerability Database. This system provides base scores that can then be personalized by taking into account environmental and time-sensitive factors specific to an organization. For the second question, “none” is a good answer, but what's really needed is a confident, quantitative answer that can be verified with supporting data.

Question #5: Do you employ continuous red-team attacks against your own systems as part of your security stance? If so, what proportion of your continuous red-team attacks succeed in accessing sensitive data or systems in your network? What proportion of those successful attacks has been prevented from recurrence by remediating vulnerabilities? “Yes” is the right answer to the first question. For the second, a small percentage is reasonable, but again, knowing the answer is even more important. And for the third, all such successful attacks should cause the organization to remediate the discovered vulnerability.

Question #6: Do you consistently use multifactor authentication technology for all users to authenticate accesses inside your network? If so, is at least one factor time-dependent or challenge-response based? Is at least one factor based on a physical device which, if absent, would be immediately noticed by its owner? Answer a demonstrable “yes” to all three.

Question #7: Is high-grade (AES 256-bit equivalent or better) encryption used consistently to protect sensitive data while stored on your systems? Is high-grade encryption used consistently to protect that data when in transit over your networks? If not, what is your plan, required level of investment and schedule for implementation to use such encryption? “Yes” is the best answer for the first two questions. If it’s not, then the third answer should be specific and believable.

The frequency and sophistication of cyber attacks will continue to grow for both government and industry. Agencies that wait for regulations and mandates to take aggressive action are putting their reputations and the data they protect at risk. Once the above seven key questions have been answered, agencies must turn their attention to taking action. As the first step toward a positive security stance, make a proactive assessment of what can be done to get the following practices into use:

Encrypt all sensitive or personally identifiable data in databases and files, using symmetric 256-bit cipher strength or equivalent, such as AES-256. Encrypt all data transmission using similarly strong encryption using methods such as those offered by the transport layer security suite.

Require multi-factor authentication for access even from inside the organization’s network. At least one factor should be time-variant or based on dynamic challenge-response, and at least one should include a physical item (such as a phone or an RSA-type fob) that would be immediately evident if misplaced by the owner.

Partition networks using technologies such as virtual private networks to isolate distinct business functions and data, requiring distinct credentials for each such network.

Keep a current inventory of what hardware and software is on each network and have positive control over configurations of these assets.

Use the latest threat intelligence continuously and proactively to scan for and identify existing vulnerabilities. Then prioritize those vulnerabilites and patch them.

Continuously operate a “red team” to perform penetration and other testing aimed at detecting unknown vulnerabilities in application software, middleware and back-end applications.

Use quantitative metrics to augment checklist-based compliance to security requirements, using metrics that measure unpatched vulnerabilities, red-team penetration success, anomalies in inventories and changes in network traffic.

Data breaches, whether small or large, do not indicate an organization lacks a priority on cybersecurity. OPM, for example, has been in the process of aggressively improving its cybersecurity posture since 2013. As recently as May, the agency launched a comprehensive review of its cybersecurity systems, releasing a report outlining 15 steps to improve its security.

That said, a strong cybersecurity stance requires difficult tradeoffs in resource allocation – tradeoffs that can contribute to massive data breaches and may be out of balance when considered in the context of current and expected future cyber threats. Asking the right questions and having the right answers will be useful to organizational leaders as they engage in dialog about balance in their security stance, so that incidents such as the OPM data breach and others that occur more frequently each year can be avoided.

NEXT STORY: How to leverage networks to boost security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.