On Thursday night, U.S. officials said that the Office of Personnel Management (OPM) had suffered a breach. Data from four million current and former federal employees, across numerous government agencies, may have been stolen by Chinese hackers.
It does not take a security expert to see a pattern taking place here. Most of the attacks allegedly from China over the past few years have gone after the personal information of US citizens, and there is no sign that this trend will diminish. It is fair to assume at this point in the game, China may have more accurate information on US citizens than the US itself.
The OPM manages security clearances for various government organisations. During that process, employees must provide extreme detail to every aspect of their life – which is in turn stored and kept in the same systems that were breached.
Organisational confidence takes a long-time to build, but can (and is) eroded much more quickly. Governmental breaches put these trusted government organisations in the same light as all the recent private company breaches (like Target, Home Depot). Much like your personal medical history, the big difference here is the government has much more sensitive data about their victims, and the victims have no choice in sharing that data.
This attack once again exemplifies the need for more security resourcing in the federal government and the need for a different more comprehensive approach to incident detection and response. The current methodologies have lead to this breach – not avoided them. Attacks are being detected much too late in the attack continuum. Effective security these days means detecting these threat actors as they operate and before they exfiltrate data. You can’t win all the battles but all of these headlines suggest that we are still on the losing side.
In particular organisations need to categorise and isolate what they need to protect, place additional controls around that information, and meticulously log & monitor access to that encrypted data.
For example, some past advanced attacks have targeted Windows administrative accounts. Smart organisations have realised this, and created a separate isolated setup for domain admin accounts, with additional security controls around them (like dual factor authentication, jump boxes that are the only place domain admin activity can occur and logging and monitoring of that separate setup). This isn’t fast, easy or cheap, but organisations have been pushed into adding these controls by ongoing attacks.
In addition, organisations need to leverage telemetry, and leave hackers no place to hide. If there is a blind spot on your network, someone will be hiding there. Find them and remove them in a way that they can’t get back in. These types of incident detection and response approaches have been vastly under-funded in the past, but as these hacks increase, we will see a shift in focus.
Until organisations get better at doing this, we can guarantee that the Chinese will continue to have better data on US citizens than anyone in this country does and this information superiority is what scares me the most.