OPM breach clearly illustrates need for better identity and access management
U.S. government employees got some very bad news in early June when it was announced that the Office of Personnel Management (OPM) had fallen victim to a security breach.
This latest high profile cybersecurity attack was orchestrated against the agency that essentially acts as the human resources department for the entire federal government – a role that unfortunately makes it privy to the personal information of every current and retired federal employee, as well as individuals that apply for security clearances. In all, the personal information – including the social security numbers – of as many as fourteen million federal employees are thought to have been compromised.
Although discovered and announced recently, the breach was most likely perpetrated as long as a year ago, after at least several months of being undetected. According to the Wall Street Journal, the breach was discovered when a cybersecurity vendor demonstrated their solution on OPM networks and found malware that was present for a year.
Unfortunately, OPM hasn’t come right out and said what – specifically – was responsible for the breach or how the perpetrators went about getting access to the network. However, in a recent radio broadcast on National Public Radio, reporter Aarti Shahani claimed that the breaches could be similar to those that hit health insurers Anthem and Premera. During the broadcast, Shahani reported:
“…according to iSIGHT Partners and ThreatConnect, two firms that focus on studying organized hacker groups, this latest breach is directly connected to the high-profile attacks against health insurers…hackers build something called a command and control server to direct their malicious software, malware, to hit targets. iSIGHT examined the servers used against Anthem health care, Premera Blue Cross and OPM and found similarities so extensive that the security firm concludes the same hacker group is behind all three mega breaches.”
As we discussed in previous posts, the Anthem breach was widely considered a result of compromised authentication credentials. The Premera breach was also likely a result of a hacker group tricking employees into downloading malware intended to steal authentication credentials. If the same hacker group was responsible for all three attacks, and the two attacks – Anthem and Premera – appear to have been executed in similar fashion, it’s safe to assume that the OPM attack was also a result of similar tactics.
But there is also other evidence that this could have been an identity and access management issue.
A November 2014 OPM Inspector General report focusing on the cybersecurity stature of the agency found that multifactor authentication utilizing Personal Identity Verification (PIV) cards was not required to access OPM systems. According to the report, “As of the end of FY 2014, over 95 percent of OPM workstations require PIV authentication to access to the OPM network. However, none of the agency’s 47 major applications require PIV authentication.”
In all three instances – Anthem, Premera and OPM – strong, out-of-band multifactor authentication could have been instrumental in thwarting a breach. Multifactor authentication solutions can add layers of identity verification that go beyond simple log-in and password. Depending on the solution, users could be verified based on their inherence or location – add intent, perseverance and a completely out-of-band process and you then have a solution that severely decreases the probability of a hack.
Out-of-band authentication is especially important. Even with PIV cards, malware can be used to execute keylogging, man-in-the-middle and other attacks that can be used to gain access to authentication information since the device being used to do the authentication is the same device users are verifying their identity on. Out-of-band solutions eliminate this vulnerability by requiring a second and trusted device on which the user verifies their identity and initiates intent. Even if the primary device is compromised with malware, the authentication information is never compromised.
In addition to choosing an out-of-band multifactor authentication solution, OPM and other organizations would benefit from solutions that are also easy to use, so adoption, use, and productivity stays at the highest levels.
You may be thinking, “This is great in hindsight, but the damage is already done, what benefit would out-of-band multifactor authentication solutions have now that fourteen million users have had their information compromised?” And that’s a fair question. But I would argue that it’s more important now than ever before.
Personnel records contain social security numbers, phone numbers, email addresses and other personal information that is often used by system administrators and end users for login and password creation.
Between the Anthem, Premera and OPM breaches, these bad actors now have a large amount of personal information on a huge number of American citizens and government employees. This information can be utilized to power brute-force cyberattacks on any other online system and account that these individuals can access. Plainly – these attacks put information in the hands of cyber thieves that will give them the tools and information they need to conduct even more attacks.
However, if out-of-band, multifactor authentication solutions were protecting these other accounts, there would be less reason to worry. Brute force attacks and login information gained through other means would effectively be rendered useless, since it would fail to meet the authentication factors required to verify the user’s identity.
The OPM breach is yet another high profile attack that illustrates the need for better identity and access management across all networks – both private and public sector. By moving to multifactor authentication that is both strong and out-of-band, we can not only help prevent attacks like these, but keep them from snowballing into more breaches in the future.