OPM Breach: Why Doing the Basics is Not Easy
By Chris Carpenter
Director of Security Operations, Secretary of Defense Communications
The recent Office of Personnel Management (OPM) breach may be the largest breach of Federal records ever.
With the resignation of OPM Director Katherine Archuleta over the compromise of the newly disclosed number of 21.5 million records, the breach has gotten the attention of Congress and the nation as a whole since it was first revealed last month. One of the key questions being asked is the one that is always asked, “How did you let this happen?"
The answers currently being provided are not very satisfying to many but it’s really not an easy question.
There has been a lot of focus on why OPM did not have better protective measures in place to prevent a breach like this from happening. The OPM response has been they don’t know if they could have prevented it.
Sadly, that’s the truth and it’s something we all need to come to grips with. Preventing breaches is very difficult. Understanding that let’s us shift focus to detection and response after a system breach.
OPM has stated that securing their legacy systems has proven difficult and costly. Upgrading a legacy system to a point where it is sufficiently breach proof is a pretty resource intensive effort. Alternatively, installing mechanisms to detect the compromise of that system will likely yield lower risk with a lower outpouring of resources.
If you ask any CISO how to prevent a network from being compromised they will have an answer. Once you get past the snarky, “Disconnect it from the Internet!” comments you will probably get something like this:
- Patch everything as soon as possible and harden all systems
- Enforce strict configuration management and software whitelisting
- Segment the network to minimize damage from any one system being compromised
- Deploy monitoring tools for complete situational awareness
That might just work. Unfortunately, I’ve never seen an organization where all of these things have been accomplished. The simple reason is, information security competes for resources with every other information technology and organizational project.
I have rarely gone to a CIO with an information security request and been told it didn’t make sense or we don’t need it. Usually, I get a lot of interest but concern for cost, management overhead and impact to customers prevents most from being immediately implemented. The politics of pet projects, personalities and resistance to more security also play into the issue. It’s very easy to throw stones at OPM but we really need to learn from this.
I imagine OPM was facing this dilemma. What to do first to improve an aging system? You can't do it all at once. Adding security to legacy systems is time consuming and expensive.
Let's not single OPM out. Many organizations are in this same position. Start with the basics and what will get you the greatest risk reduction with the resources you have. Patching the systems to fullest extent possible is a good first step. After that you can focus on monitoring solutions to detect compromise. In fact, that seems to be what OPM was in the process of doing when the breach was detected.
When we start operating from an assumption that breaches cannot always be prevented, we can put more emphasis on detection and response. This actually can save us time and money.
When a system is breached it takes time for the attackers to identify or reach the resources they are after on the network. During the time that it takes for them to learn the network and find what they are after, detection would still protect valuable information.
Even after the attackers identify the information they must ex filtrate it. This is another opportunity for detection. Early detection of compromise minimizes the amount of information lost, cost of repair and reputational damage. With that type of benefit it should be easy to get the resource for detection systems, even in budget-constrained environments. It's not though.
This is an area where we as CISO’s can do a better job of communicating the business value of basic information security services. Shifting our focus from ideal solutions to effective compromises has to be the norm. Take this lesson to heart and be sure you are prioritizing your requests based on your organizational risk tolerance and needs.