CEOs and boards are responsible for the overall direction and governance of an organisation. This covers every aspect of the organisation, from the business model to the marketing plan, to brand awareness and conformity with law and regulations.
Somehow, it seems, cyber security – now an issue of critical importance to all organisations – is being overlooked.
PwC’s Global State of Information Security Survey 2015 found that 58% of boards were uninvolved in the overall security strategy, with 75% playing no part in reviewing security and privacy risks.
The below graph from PwC shows the level of involvement – or lack thereof – with security issues throughout the organisation:
Cyber security is no longer the preserve of just the IT department. Everyone in the organisation has a role to play and it is the board and its director’s responsibility to drive security throughout the organisation. Get cyber secure now
The government’s Cyber Essentials scheme has been developed to help all UK businesses create a base level of cyber security. It advocates implementing five controls that will help mitigate up to 80% of the most common cyber attacks.
IT Governance can help you achieve certification to Cyber Essentials for as little as £270 with our Do It Yourself Solution. Find out how Cyber Essentials can help you get cyber secure now.
Meer gemeenten borgen informatieveiligheid met ISMS Control Framework
Jun 11, 2015
In januari 2015 heeft de Informatiebeveiligingsdienst voor gemeenten (IBD) een uitgebreide brochure uitgegeven over de wenselijkheid van het implementeren van een Informatiebeveiliging Management Systeem (ISMS).
In navolging van gemeenten als Den Haag, Velsen, Helmond, Edam-Volendam, hebben nu ook de gemeenten Almere, Landgraaf en Waalwijk gekozen voor het implementeren van een ISMS. Om deze implementaties structureel te borgen in hun organisaties, hebben deze gemeenten gekozen voor het ISMS Control Framework van key2control.
Jeroen Blok, Concern Information Security Officer van de gemeente Almere: “Met een ISMS ben ik continu aantoonbaar in control op het proces van informatieveiligheid. Daarmee borgen we niet alleen de processen maar met name ook bewustwording en commitment bij het management en onze medewerkers.”
Arie Hartog, algemeen directeur van key2control is zeer verheugd met het besluit van de gemeenten Almere, Landgraaf en Waalwijk. “Het is nadrukkelijk ons doel om gemeenten te ondersteunen in het verhogen van de kwaliteit van hun informatiebeveiligings- en privacy processen. Het is dan ook goed om te zien dat steeds meer gemeenten besluiten een ISMS in te zetten en daarbij gebruik maken van het ISMS Control Framework van key2control.”
Voor meer informatie over het ISMS Control Framework kunt u contact met mij opnemen via LinkedIn of telefonisch: 06 - 575 99 235.
Government officials have been vague in their testimony about the data breaches—there was apparently more than one—at the Office of Personnel Management. But on Thursday, officials from OPM, the Department of Homeland Security, and the Department of the Interior revealed new information that indicates at least two separate systems were compromised by attackers within OPM's and Interior's networks. The first was the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior's shared service data center. The second was the central database behind EPIC, the suite of software used by OPM's Federal Investigative Service in order to collect data for government employee and contractor background investigations.
OPM has not yet revealed the full extent of the data exposed by the attack, but initial actions by the agency in response to the breaches indicate information of as many as 3.2 million federal employees (both current federal employees and retirees) was exposed. However, new estimates in light of this week's revelations have soared, estimating as many as 14 million people in and outside government will be affected by the breach—including uniformed military and intelligence personnel. It is, essentially, the biggest potential "doxing" in history. And if true, personal details from nearly everyone who works for the government in some capacity may now be in the hands of a foreign government. This fallout is the culmination of years of issues such as reliance on outdated software and contracting large swaths of security work elsewhere (including China).
The OPM breaches themselves are cause for major concerns, but there are signs that these are not isolated incidents. "We see supporting evidence that these attacks are related to the group that launched the attack on Anthem [the large health insurer breached earlier this year]," said Tom Parker, chief technology officer of the information security company FusionX. "And there was a breach at United Airlines that's potentially correlated as well." When pulled together into an analytical database, the information could essentially become a LinkedIn for spies, providing a foreign intelligence organization with a way to find individuals with the right job titles, the right connections, and traits that might make them more susceptible to recruitment or compromise.
Preliminary evidence points to a group dubbed by Crowdstrike as "Deep Panda," a Chinese cyber-espionage group. In the past, the group has used Windows PowerShell attacks to implant remote access tools (RATs) on Windows desktops and servers. It is this malware that investigators are believed to have discovered on OPM's network and in the Department of the Interior's data center.
Handing out bandages
The two systems breached were the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior's shared service data center, and the central database behind "EPIC," the suite of software used by OPM's Federal Investigative Service in order to collect data for government employee and contractor background investigations.
Ars contacted both OPM and DHS while researching this story, but officials at both agencies refused to confirm or deny that these systems were part of the breach due to the ongoing investigation. However, sources familiar with OPM projects identified these systems as the ones most likely to be at the heart of the breaches.
In the weeks following the breach discovery, OPM officials scrambled to find a contractor to handle the "Privacy Act event." The organization issued a call in late May and awarded a contract five days later (on June 2) to Winvale Group, a Washington, DC-based technology services company that also helps businesses sell services to the government. OPM classified the transaction as a blanket purchase agreement to allow for multiple additional purchases. The $20.8 million "first call" was for 3.2 million "units" of credit monitoring and identity theft recovery services, indicating the agency's early assessment of how many individuals might have been affected by the breach.
The Winvale Group may get a lot more business based on OPM Director Katherine Archuleta's statement to the House Government Oversight Committee this week. "In early May, the interagency incident response team shared with relevant agencies that the exposure of personnel records had occurred," Archuleta said. "During the course of the ongoing investigation, the interagency incident response team concluded—later in May—that additional systems were likely compromised, also at an earlier date. This separate incident—which also predated deployment of our new security tools and capabilities—remains under investigation by OPM and our interagency partners. In early June, the interagency response team shared with relevant agencies that there was a high degree of confidence that OPM systems related to background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been compromised."
To date, OPM has no idea how many individuals' background investigations were exposed. All Archuleta said was that the agency was "committed to notifying those individuals whose information may have been compromised as soon as practicable."
In the meantime, the Obama administration has ordered a “30-day Cybersecurity Sprint." Agencies must perform vulnerability testing and patch existing holes in security. They must prune the number of privileged user accounts and expand adoption of multifactor authentication for all systems. The Department of Defense and intelligence community have led the way on that last requirement, but many civilian agencies (such as OPM) have been slow to put it in place.
Just how much this "sprint" will improve government security remains to be seen, especially since agencies such as OPM have been repeatedly warned in the past about minimum "security hygiene." Thirty days is not likely enough time to correct a decade-plus of neglect of antiquated systems, poor leadership, and spotty attempts at modernization.
Employees must wash hands
Enlarge/ The OPM Federal Investigative Service secure Web portal, powered by the no-longer-supported Adobe JRun.
OPM is not alone in neglecting basic security guidelines spelled out for them by both federal regulations and executive orders for much of the past decade. Even those agencies that have implemented systems to comply with the letter of FISMA (Federal Information and Security Management Act) and other regulations have had problems keeping on point because of the constantly changing nature of information security threats. And the complex plaque of information systems that agencies have built up often defies any sort of security management because the vendors who built many of the systems have long since disappeared.
By and large, government agencies in the last 20 years have become increasingly dependent on outside contractors to provide the most basic of information technology services—especially smaller agencies like OPM. The result has been a patchwork IT systems and security, and the Office of the CIO at OPM has a direct hand in fewer and fewer projects. Of the 47 major IT systems at OPM, 22 of them are currently run by contractors. OPM's security team has limited visibility into these outside projects, but even the internally operated systems were found to be lacking in terms of basic security measures.
While OPM instituted continuous monitoring of some systems using security information and event management (SIEM) tools, those tools covered only 80 percent of OPM's systems according to a fiscal year 2014 audit by OPM's Internal Office of the Inspector General (OIG) audit team. And as of October 2014, monitoring didn't yet include contractor-operated systems, according to the same organizational oversight.
"The OCIO (Office of Chief Information Officer) achieved the FY 2014 milestones outlined in the roadmap which included quarterly reporting for high impact systems," the OPM OIG reported in its audit. "The next stage in the OCIO’s plan involves requiring continuous monitoring by contractor-operated systems and implementation of the DHS Continuous Diagnostic and Mitigation program." In other words, OPM had no idea what was going on inside contractor-provided networks and only a limited grasp on what was going on within its own network.
There were significant gaps in OPM's security testing as well. Seven major systems out of 25 had inadequate documentation of security testing—four of which were systems directly maintained by the OPM's internal IT department. Three out of the 22 contractor-operated systems had not been tested in the last year; the remainder had only been tested once a year.
The greatest lapse within OPM's security, perhaps, is the way that it has handled user authentication. The OPM IG report has found progress on access controls, including the use of multi-factor authentication to access OPM's virtual private networks and even to log into workstations using Personal Identity Verification (PIV) card readers—essentially guarding the entry points into the OPM network. But "none of the agency's 47 major applications require PIV authentication," the Office of the Inspector General reported, a violation of an Office of Management and Budget mandate for federal systems.
OPM's Office of the CIO responded that "in [fiscal year] 15 we will continue to implement PIV authentication for major systems."
Ironically, federal officials have been blaming the messenger to some degree through anonymous statements to the press. NPR reported that investigators were looking into whether the IG report "tipped off hackers to some of the agency's vulnerabilities," and reporter Dina Temple-Raston found that investigators believed the attack came "about a month" after the IG report was published. "Among the things the inspector general found that could have helped hackers was that nearly a quarter of the agency's systems did not have valid authorization procedures," she said. "The reason that's important is because one of the departments that didn't have the correct procedures was the Federal Investigative Services. That's the group responsible for background investigations of federal employees. So that data's very sensitive, and as we know now, this is one of the databases that was hacked."
But those problems had been well-documented prior to the 2014 IG report. Attacks on two OPM investigative contractors—USIS and KeyPoint—could have provided plenty of intelligence on just how bad OPM's systems were. Even a quick Web search would have given attackers plenty of ideas about how to get into OPM's sensitive systems. For example, the "secure" Web gateway to OPM's background investigation systems is a contractor-hosted website at an application service provider. That Web gateway is reached through a Windows Web server running JRun 4.0, Adobe's Java application server, as well as ColdFusion, a platform that has been used for a number of breached government servers in the past few years.
In 2013, someone hacked into Adobe and stole the ColdFusion source code. And Adobe dropped the JRun product line entirely in 2013—with extended "core" support ending in December of 2014. There is no evidence that OPM or its application provider had purchased expensive extended, dedicated support, but JRun would hardly be the only unsupported platform still used by OPM. The agency still has systems based on Windows XP (supported under a custom support agreement with Microsoft), and many of the core systems run by the agency are based on mainframe applications that haven't been updated since their COBOL code was fixed for the Y2K bug in the late 1990s.
It would be incorrect to say that these older systems (especially the COBOL code) couldn't be updated to support encryption, however. There are numerous software libraries that can be used to integrate encryption schemes into older applications, including libraries from PKWare. Other government agencies and financial institutions already utilize such software, according to Matt Little, VP of Product Development at PKWare. The problem is that, as DHS Assistant Secretary for Cybersecurity Andy Ozment noted during his testimony, OPM didn't have the kind of authentication infrastructure in place for its major applications to take advantage of encryption in the first place. Encryption, he said, would "not have helped in this case."
Since multi-factor authentication and encryption were not integrated into any of OPM's 47 major applications, all an attacker had to do was to gain access to a system on the network—nearly any system. Based on the testimony before Congress and other publicly available data, we know that hackers found at least two systems and were able to easily expand their access laterally within OPM and then contractor and service provider networks afterward.
"There's a process failure in every spot there," said PKWare's Little. "It's just bad security controls. It looks ridiculous—they didn't even have basic IP (network) access controls. This is not something we typically see in a serious security customer."
As Ars has reported, those problems were not just found at OPM itself. Contractors working for the agency may have introduced some unique security issues of their own, including employing Chinese nationals—some working from overseas—as part of subcontracting teams. Allegedly, that project was an implementation of SAP's SuccessFactors software, undertaken by a systems integrator for OPM and affiliated agencies, and included access to employee personnel data for the Department of Energy, the Transportation Security Agency, and others. SuccessFactors is used as part of a human resources system called the Talent Management System (TMS), "an integrated learning management and performance management system based on the industry leading SAP/Plateau/Success Factors software" hosted for multiple agencies by a data center at the Department of the Interior. SAP could not provide information about the program, the integrator, or even confirm that Interior or OPM were a customer without OPM authorization.
The wrong kind of file sharing
The login page for the Web gateway to the Electronic Official Personnel File (eOPM) hosted at the Interior Business Center may have had some security weaknesses, as shown by Chrome.
Initially, the investigation into the OPM breach uncovered an infiltration into personnel file databases, which may have included the Central Personnel Data File. That database includes the personnel records of a majority of federal employees. The data breach, based on testimony provided by federal officials, included an intrusion into an OPM system hosted by an outside service provider: the Department of the Interior.
The Interior Business Center, formerly known as the Department of Interior National Business Center, is what's known as a shared services center. That means it gets its funding by bidding for work from other government agencies, occasionally competing against outside contractors. So the IBC has been a relatively active center of innovation in the US government as a result. The center has been in the government cloud business since before the Obama administration, providing infrastructure and software as a service. The IBC uses its IBM mainframes, database instances, and mainframe Linux instances (along with other servers) to do everything from serving up webpages to running payroll for dozens of agencies. IBM even profiled IBC (then NBC) for a case study on using System z mainframes as an enterprise cloud platform.
Starting in 2011, OPM pushed agencies to adopt approved Human Resources Line of Business (HR LOB) applications running at federal and commercial shared service centers, hoping to save a billion or more over four years by using more generic federal human resources applications hosted at both federal and commercial shared services centers. But even before the Obama administration had begun its big push to consolidate federal data centers under Chief Information Officer Vivek Kundra, NBC was providing IT services for more than 150 government agencies (often as Web-based software-as-a-service offerings).
IBC also offered mainframe capacity through "infrastructure-as-a-service" packages to other agencies. And as OPM was seeking to consolidate its own data center operations, it turned to IBC to host the eOPF system—the electronic version of government employees' personnel files. The eOPF system's data includes the electronic version of the SF-50 (Notification of Personnel Action), which a State Department human resources document referred to as "Your Federal Employment Birth Certificate." It documents a federal employee's career—promotions, demotions, other administrative actions, retirement plan, and work schedule, as well as personal identifying data. OPM maintains eOPF records for millions of current and former government employees, including Congressional staffers.
At some agencies, eOPF is only accessible from within departmental networks. But some agencies, including OPM, have Internet-accessible portals into the eOPF system. Apparently, eOPF's servers are accessible over the same Internet gateway that other agency Web servers running in IBC used. It's also behind the same firewall. So exploiting one of the Web servers operated by IBC would have given attackers access from within the firewall to eOPF and, in turn, to the OPM databases and services connected to it.
That much was confirmed by Interior's CIO Sylvia Burns, who said in her statement to the House Government Oversight Committee that there was evidence "the adversary had access to the DOI data center’s overall environment." As a result, DOI is "accelerating" a number of fixes. "As part of DHS’s Binding Operational Directive (BOD) we are identifying and mitigating critical Information Technology (IT) security vulnerabilities for all Internet facing systems... We are fully enabling two factor authentication for privileged users (e.g., system administrators, etc.), as well as regular end-users."
In other words, once the attackers had gained access to login credentials of a "privileged user" in IBC's data center, they had the keys to the kingdom. Burns also said that improvements were being made to the way networks within the IBC data center were isolated from each other, an attempt to prevent attackers from exploiting systems connected to the Internet in order to access the rest of its infrastructure.
And the eOPM Web interface itself may have been susceptible to breach. A check of the site's Internet-facing login by Ars found "obsolete" crypto—the site still uses TLS 1.0. There were also insecure elements on the page which might have been modified by a man-in-the-middle attack to fool users into giving up credentials.
In a notice to federal employees about the breach, OPM obliquely confirmed that eOPF had been breached:
The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. It is the type of information you would typically find in a personnel file, such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies.
While the attackers had full access to IBC's data center, it so far appears that they didn't pull data from the HR LOB applications run there. Data available there would have been more interesting to thieves interested in financial gain, but the eOPF data is more interesting from an intelligence perspective because it profiles government employees. Such information might indicate things like whether they had problems in the workplace and might be susceptible to recruiting efforts.
Even so, eOPF isn't nearly as dangerous to both federal employees and the government at large as the other system at OPM that got hacked: EPIC.
Tell us a little about yourself
The header to SF-86, the questionnaire filled out by all candidates for security clearance background investigations. All that data goes into OPM's CVS.
The background investigation toolset is called EPIC, which is an acronym based on its major components:
E, for the Electronic Questionnaires for Investigations Processing (e-QIP) system, a "Web-based automated system...designed to facilitate the processing of standard investigative forms used when conducting background investigations for Federal security, suitability, fitness and credentialing purposes." The e-QIP system provides a "secure Internet connection"—a Web-based HTTPS portal, based on Adobe ColdFusion—to "electronically enter, update and transmit their personal investigative data over a secure Internet connection to a requesting agency."
P, for the Personnel Investigations Processing System (PIPS), a background investigation case management system that handles individual investigation requests from agencies. In addition to handling the scheduling and processing of background investigations, PIPS contains the Security/Suitability Investigations Index (SII), a master record of background investigations conducted on government employees. This is consulted whenever a "National Agency Check" is run against a person as part of a background investigation.
I, for Imaging—as in the PIPS Imaging System—a viewer for digitized paper case files. Paper surveys, questionnaires, written reports, and other images are stored here in a system based on IBM's Deaja ViewOne.
C, for the Central Verification System (CVS), the mother lode of background investigation data. According to OPM, it contains "information on security clearances, investigations, suitability, fitness determinations, Homeland Security Presidential Directive 12 (HSPD-12) decisions the background checks required for employees and government contractors to gain access to federal facilities, Personal Identification Verification (PIV) credentials [the government ID cards used for facility access and as a second factor in authentication systems], and polygraph data." In 2014, OPM increased the scope of CVS to accept security clearances granted to state, local, tribal and certain corporate employees to meet the needs of the Department of Homeland Security. CVS is also "bridged" to the military's Joint Personnel Adjudication System (JPAS), the Department of Defense's own clearance system for uniformed and civilian employees, so that contractors performing background checks can reach into DOD data when performing background investigations.
Some pieces of EPIC are so sensitive that they are housed at Fort Meade—the home of the Defense Information Systems Agency and the National Security Agency. Contractors who support them require Top Secret clearances.
In a fiscal year 2014 annual report, officials at OPM's Federal Investigative Service wrote, "At OPM, the security of our network and the data entrusted to us remains our top priority. OPM FIS took steps to strengthen security protocols imposed on its own information technology systems and those of its contractors in an effort to preempt any malicious incident that could cause harm to the privacy of individuals or our national interests."
Despite those steps, two OPM investigative contractors—USIS and KeyPoint Solutions—discovered data breaches in 2014. And while some of the elements of EPIC may have been protected from external attack by being located in federally owned secure data centers, it was the breach of OPM's own departmental network that led to the exposure of the contents of the CVS system. While users of OPM FIS' "secure Web portal" are prompted for two-factor authentication (or at least, that's what the code on the site's ColdFusion-powered login page suggests), only a single set of credentials was required from inside OPM's network to gain access to data.
The malware behind the attack, which could have resided on a FIS workstation or nearly any other system within OPM, could then use those credentials to issue queries against CVS and sneak the data back out of the network over the Internet, hiding its activity internally among normal CVS traffic. It was only when OPM was assessing systems to actually implement the sort of continuous monitoring tools that the Federal Information Systems Management Act dictates that OPM security officers discovered traffic outbound from the network that indicated something was very, very wrong.
The damage done to national security by this breach far exceeds anything that could be claimed in relationship to the documents leaked by former NSA contractor Edward Snowden. In total, more than 10 million people have active background investigation files in the CVS—either because they have been investigated for a security clearance, or just to obtain permission to work inside federal facilities. Those include all the data from the SF-85 and SF-86 personal survey forms they have filled out detailing much of their personal lives. They include police, fire, and other emergency personnel at state and local levels who have contact with federal anti-terror "fusion" centers, DOD investigators and intelligence analysts. The only agency that may not have been affected is the CIA, which maintains its own background investigation and clearance system.
A lack of imagination
The weaknesses that were exploited at OPM were ones that weren't just discovered overnight—they were problems that had existed in some form for over eight years and possibly longer, exacerbated by outsourcing and poor leadership and planning. These problems are all too common among government agencies because of the "checkbox" approach that agencies have taken to information security.
With the "checkbox," agencies measure their security based on whether they have done something that matches against a particular FISMA regulation or used a technology that meets the National Institute of Standards and Technology's (NIST's) Federal Information Processing Standards (FIPS), allowing agencies to achieve security "compliance" without really being secure, according to security experts who spoke with Ars. And while the Defense Department and intelligence agencies have taken a more aggressive stance on security measures, few agencies have ever taken the decades-old approach to security that the military pioneered for classified systems: having someone "red-team" them with penetration tests that resemble actual attacks.
"One of the things they struggle with is a failure of imagination," said FusionX's Parker. "The 9/11 attacks happened because we had a failure of imagination in terms of what hijacking was. It's the same with cyber. People aren't gaming things enough—not doing it in tabletop exercises, but doing it for real." While the government holds security exercises like "Cyber Storm", DHS' biennial effort, these are still essentially the paper-based roleplaying game version of security.
While the White House pushed forward with executive orders calling for penetration testing as part of the "30 Day Sprint" launched by President Obama last week, Parker said that he's still "seeing decades of box checking and a lack of realistic threat simulation." These sorts of tests are useless if the goal is understanding how attackers might exploit systems in unexpected ways, he said. "Like Mike Tyson said, 'Everyone has a plan, and then they get punched in the face.' Where these adversaries are catching people with their pants down is the unknown unknowns."
Bringing an approach from military training, where "train like you fight" has long been a mantra, would certainly help. But that's unlikely to happen without major changes to government security policy and culture. "Everything is focused on box checking," Parker noted. He added that his company doesn't do work in the federal market "because there's still a lowest bidder mentality there. If you're a CISO in a private company and you get hacked, and you get called into the boardroom and they ask you what is your procurement philosophy, and you say you went with the lowest bidder, you're going to get hung out to dry."
Instead of addressing some of the underlying problems, government agencies' approach has largely been to throw more people at the problem—Information Systems Security Officers (ISSOs). As of last October, OPM had hired seven ISSOs to take over management of systems security and had another four in the hiring pipeline. Parker said this is akin to "putting as many people around a bad fort instead of rebuilding a better fort." And while great heaps of money are being spent on cybersecurity systems, agencies could likely get a better result spending that money on "fixing systems that are 10 to 20 years old that have never been upgraded."
But these efforts won't happen without a sea change in culture, procurement approaches, and Congressional funding. Until then, expect to hear about more breaches—likely at an increasing rate.
Aaron Boyd, Federal Times 4:09 p.m. EDT June 19, 2015
The biggest misstep in the breach of Office of Personnel Management networks was not the failure to block the initial breach but the lack of encryption, detection and other safeguards that should have prevented intruders from obtaining any useful information. The data stolen in the massive OPM breach was not protected by practices like data masking, redaction and encryption — all of which should become the norm, rather than the exception, Rep. Elijah Cummings, D-Md., said during a hearing held by the House Committee on Oversight and Government Reform.
"We cannot rely primarily on keeping the attackers out. We need to operate with the assumption that the attackers are already inside," he noted. Part I: Could OPM have prevented the breach?
But OPM CIO Donna Seymour pointed to aging systems as the primary obstacle to putting such protections in place for certain systems, despite having the encryption tools on hand. As a result, data on at least 4.2 million current and former federal employees was compromised from one database and an untold number of background investigations were exposed in another.
"A lot of our systems are aged," said Seymour. "Implementing some of these tools take time and some of them we cannot even implement in our current environment."
Not all experts agree. Kurt Rohloff, associate professor at the New Jersey Institute of Technology and director of the NJIT Cybersecurity Center questioned the claim that legacy systems can't support encryption. More: OPM's laxity to blame for data breach, lawmakers say
"The statement that legacy systems cannot encrypt may not be completely true," Rohloff said. "It may be very expensive to integrate encryption technologies with legacy systems but it is generally possible."
OPM is currently "building a new architecture, a modern architecture that allows us to implement additional security features," Seymour said, stating it is on schedule to be deployed this fall. Once that architecture is in place, the agency will be able to employ stronger data protection schemes, she said. More: Second OPM hack exposed highly personal background info
Even if the information had been encrypted, that might not have been enough to stop attackers from getting usable data from this intrusion, OPM Director Katherine Archuleta told the committee, asking DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment to explain further.
"If an adversary has the credentials of a user on the network, then they can access data even if it's encrypted, just as the users on the network have to access data, and that did occur in this case," Ozment said. "So encryption in this instance would not have protected this data." More: The user knows nothing — Rethinking cybersecurity
The only way to prevent malicious actors from obtaining useful data in this case would have been timely detection of the intrusion.
"It's basically impossible for a target of any real size to be perfect across that whole exposed area," said Richard Bejtlich, chief security strategist at FireEye and nonresidential senior fellow at the Brookings Institution. "When the intruder gets that first foothold, somebody has to notice and then react to contain the intruder before he can accomplish his mission."
Despite the speed of computer processing, it still can take hours, days, maybe even weeks for bad actors to find their way around a system and effectively exfiltrate the data.
"If at any point during that timeline you notice they got in … and you contain them, then you win, Bejtlich added. "That's the difference between a breach where something catastrophic happens and unauthorized access, which is just getting that initial foothold."
OPM was part of a second set of task orders on DHS's Continuous Diagnostics and Mitigation (CDM) program, which gives agency's the tools to track all the assets on their networks and detect anomalies. This functionality, coupled with identity and access management tools slated for the next phase of CDM, could have helped OPM spot the intruders.
Even if the hackers had valid credentials, if they were used from an unusual IP or were discovered accessing information in a database that user should not be in, OPM security officials could have seen something was amiss.
Unfortunately, the first phase of CDM implementation won't be finished until later this year and solicitations for the second phase are slated for this summer.
"No single system will solve this problem," Ozment said. "We do need a defense-in-depth strategy."
Anxiety is spreading among defense officials and the military community that the recent theft of federal government data linked to China may affect hundreds of thousands of service members.
Compounding those concerns is the limited information made public by the Office of Personnel Management.
Some military officials believe the recent hack targeting the civilian-run OPM seized information from tens of thousands of Standard Form 86s, which are required for all service members and civilians seeking a security clearance. That includes service members of all ranks, officers and enlisted, in a wide range of job specialties and assignments.
"They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.
The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.
Given the scale of the breach as publicly disclosed by the Obama administration and OPM, it's likely that the hackers obtained the SF-86 data of every military member who filled out the form on a computer, something that has been standard practice in Defense Department for well over a decade, said a retired senior intelligence community official who writes a blog under the pen name Victor Socotra.
The services began to make the digital SF-86 form mandatory in 2007, but service members used the digital form for years before that.
"They had access on everyone who has applied for a security clearance: families, residences and job assignments, bank records," Socotra said. "If that's not an absolute calamity, I don't know what is."
A senior administration official declined to confirm or deny the details of the breach, but told Military Times that "SF-86 applicant data is among the kind of data affected by the incident, but other kinds of information are also contained in the systems. As the investigation remains ongoing, we are still determining the full scope and extent of the information exposed."
Socotra, a former active-duty military intelligence official who worked directly for CIA Director George Tenet, and many Republican politicians contend the information being released is deliberately obscuring the magnitude of the incursion into OPM's records.
"This is a surreal new world and they are not being truthful," he said. "The way this works now is that they tell you a little bit of the truth, and then they obfuscate."
The lack of clarity coming from the White House and from OPM on the extent of the breach drew sharp criticism from lawmakers Tuesday. OPM Director Katherine Archuleta was summoned to Capitol Hill to respond to concerns about the sweeping breach of personnel information.
Rep. Ron DeSantis, R-Fla., pressed her about the reports that SF-86 documents were at the heart of the security breach.
"So you don't disagree with my characterization of the SF-86 in that the compromise, let's just say, theoretical, if you don't want to say what actually happened here, that that is a major, major breach that will have ramifications for our country?" DeSantis said.
"As I said, we will discuss this with you in a classified setting," Archuleta responded.
The Defense Department allows OPM to handle the vast majority of background checks required for military security clearance investigations.
Signs are mounting that OPM officials were aware their security clearance data was vulnerable. In November, the OPM inspector general issued a report concluding that the data was at risk, a "Chinese hacker's dream," according to a New York Times report.
Elizabeth Newman, an attorney and security clearance expert, said the hack was a clear OPM failure.
"It means that OPM was pretty incompetent," she said. "They knew that their systems were vulnerable and were warned but did nothing to secure them."
OPM initially said a recent cyberattack was limited to civilian employees. But the agency later acknowledged a separate incident that compromised "information related to the background investigations of current, former, and prospective federal government employees, and other individuals for whom a federal background investigation was conducted."
OPM spokesman Samuel Schumach said OPM "will notify those individuals whose information may have been compromised as soon as practicable."
Infosecurity
Europe 2015, one of The State of Security’s
top 10 conferences in information security, may be over but now is the
perfect time for industry professionals to internalize all of the findings
shared at the conference. One such piece of research that demands our attention
is the 2015
Information Security Breaches Survey. Commissioned
by the HM Government, the 2015 Information Security Breaches Survey was
conducted by PwC in association with Infosecurity Europe 2015 and Reed
Exhibitions. More than 650 UK corporations across all economic sectors responded
to the survey, which proceeded via the use of two online questionnaires and
“sticky sessions.” Below are
three key takeaways of the study. KEY
FINDING #1: BREACHES ARE INCREASING IN NUMBER, SCALE, AND
COST According to the 2015 Information Security Breaches Survey, the
number of security breaches has increased in the past year, whereas the scale
and cost have nearly doubled. This trend is
highlighted by the fact that 90 percent of large organizations and 71 percent of
small businesses that responded to the survey reported a breach this past year.
These figures are up from 81 percent and 71 percent, respectively, as compared
to last year. infosec
breaches survey 2015 [1]On a positive note, the average number of breaches per
year has decreased from 16 incidents for large organizations to 14; for small
businesses, breaches have also decreased from six to four since 2014. The survey
also indicates that distributed denial of service (DDoS) attacks have dropped
across the board. Even so, 59
percent of respondents expect to see more security incidents this year than they
did previously. Additionally, each of these breaches will constitute a greater
financial burden for larger organizations, given the rise in a the average cost
of a breach from £600,000 – £1.15 million last year to approximately £1.46
million – £3.14 million this year. KEY
FINDING #2: INFOSEC SPENDING IS EXPECTED TO DECREASE Another key
finding of the 2015 Information Security Breaches Survey reveals that 44 percent
of both large and small businesses increased their spending in information
security last year, which is down from 53 percent and 27 percent, respectively,
in 2014. Additionally,
estimates suggest that this downward trend in increased infosec spending will
not change over the next year: 46 percent of large organizations and 7 percent
of small businesses expect their information security spending to increase in
the next year, which is down from 51 percent and 42 percent, respectively, last
year. infosec
breaches survey 2015 [2]Two areas in particular, cyber insurance and threat
intelligence, are seeing a decrease in investments from all respondents. Nearly
40 percent of large organizations and 27 percent of small businesses currently
have cyber insurance (which is down from 52 percent and 35 percent,
respectively, a year ago). Also, whereas
69 percent of respondents planned to invest or were invested in threat
intelligence in 2014, only 63 percent planned to invest this year. These trends
may partially reflect the fact that one-third of large organizations say that
responsibility for ensuring data protection is still unclear. KEY
FINDING #3: THE HUMAN FACTOR IS STILL A RELEVANT SECURITY
LIABILITY The third and final noteworthy finding of the survey
reveals that despite efforts to increase awareness among staff members, people
are as likely to be the cause of breaches as are viruses and other types of
malicious software. infosec
breaches survey 2015 [3]In the past year, the number of UK organizations who
have invested in staff awareness programs has increased. For example, 32 percent
of respondents follow the HMG “Ten Steps to Cyber Security,” which is up from 26
percent last year. Furthermore, 49 percent of both large and small organizations
are now badged or are currently working towards receiving accreditation under
the Cyber Essentials or Cyber Essentials Plus programs. This
organization-wide focus towards security is reflected in the fact that 72
percent of large organizations and 63 percent of small businesses now provide
ongoing security awareness training, which is up from 68 percent and 54 percent,
respectively, in 2014. Even so, the
number of organizations to report a breach due to human error has
grown. Three-fourths
of organizations and nearly a third of small businesses cited human error as the
cause of at least one breach, which is up from 58 percent and 22 percent ,
respectively, last year. Half of respondents also revealed that the worst
breaches they experienced were caused by inadvertent human error—up from 31
percent in the year previous. CONCLUSION Although
it sought out the responses of UK corporations only, the 2015 Information
Security Breaches Survey may reflect wider trends that stretch across national
boundaries. Organizations
have made significant progress in the past year towards protecting their
corporate and their customers’ data. However, given the increase in breaches
this past year, it is clear that businesses must continue to seek out and
mitigate security risks if they are to meet the ever-evolving online threat
landscape. To read about
the additional findings of the 2015 Information Security Breaches Survey, please
click here. This
was cross-posted from Tripwire's The State of Security blog.
Hackers have stolen the personal data and social security numbers of every US federal employee because the data was not encrypted, a union representing government workers has claimed.
The claim is made in a letter discussing the massive data breach at the Office of Personnel Management (OPM) which saw cyber criminals make off with an estimated four million government employee records.
The OPM is the human resources department for the federal government, and carries out checks for security clearances. Officials were warned that the breach may have had an impact on every federal agency and have described the breach as among the largest-known thefts of government data in history.
Now, J David Cox, president of the American Federation of Government Employees, has claimed in a letter to OPM director Katherine Archuleta that far more records have been stolen than the government had previously acknowledged.
According to the document, hackers stole military records and the status information, address, birth date, job and pay history, health insurance, life insurance, and pension information of veterans; along with age, gender and race data of government employees.
"We believe that Social Security numbers were not encrypted; a cyber security failure that is absolutely indefensible and outrageous," the letter said.
"Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees," it added.
The OPM agency, however, has downplayed the impact of the cyber-attack, arguing that only limited personal information was stolen.
While the US government does not have a firm idea of who carried out the cyber-attack against OPM, Susan Collins, a member of the Senate Intelligence Committee, suggested that it was thought to have derived from China.
Democratic senator Harry Reid also said on the senate floor that the December attack was carried out by "the Chinese." However, the Chinese embassy has told the US the accusations were "not responsible and counterproductive".
Speaking at the recent Infosecurity Europe conference in London, security technologist Bruce Schneier described how it is now almost impossible to tell who is conducting cyber-attacks against an organisation.
The perpetrators, he said, could be anyone because "the same tactics and targeting and weaponry are used by everybody".
"We're actually living in a world where you can be attacked and not know if it is a nuclear-powered government with a $20bn (£13bn) military budget or a couple of guys in a basement somewhere. That's a legitimate thing to be unsure about. That's freaky," said Schneier.
The US Internal Revenue Services has also recently been the victim of a data breach, although rather than accusing China, the organisation suggested that Russia was behind the cyber-attack.
Banks meeting the requirements are eligible for a non-prosecution agreement.
The NPA's require banks to cooperate in any related criminal or civil proceedings, demonstrate controls to stop the use of undeclared U.S. accounts, and pay penalties.
The DOJ said Tuesday that since August 2008, SocGen Private Bank Suisse held and managed about 375 U.S.-related accounts with a peak of assets under management of about $660 million. Some of the accounts were undeclared.
Berner Kantonalbank was founded in 1834 as Kantonalbank von Bern, the first Swiss cantonal bank. The bank is based in the Canton of Bern and has 73 branches in Switzerland.
Since August 2008, the DOJ said, Berner Kantonalbank held about 720 U.S.-related accounts, including some that were undeclared, with total assets of about $176.5 million.
Both banks "mitigated" their penalties by encouraging U.S. accountholders to comply with U.S. tax and disclosure obligations.
U.S. accountholders at the banks who haven't yet declared their accounts to the IRS can still make a voluntary disclosure under the IRS Offshore Voluntary Disclosure Program and pay a 50 percent penalty, the DOJ said.
In March, Lugano-based BSI SA, one of the ten biggest private banks in Switzerland, paid a $211 million penalty under the DOJ's Swiss bank program.
In May, Finter Bank Zurich AG paid a $5.4 million penalty under the program.
________ Richard L. Cassin is the publisher and editor of the FCPA Blog. He can be contacted here.
- See more at: http://www.fcpablog.com/blog/2015/6/12/socgen-private-bank-switzerland-pays-17-million-penalty-for.html#sthash.faHjAR6t.dpuf
Eataly's retail location in New York City has reported a possible data breach in its POS system. The company's website warns consumers of the potential security incident, urging consumers who purchased items between Jan. 16 and April 2 at the New York City location to immediately check their bank accounts.
"Based upon an extensive forensic investigation, it appears that criminals unscrupulously hacked our network system and installed a malware designed to capture payment card transaction data," according to a company statement.
An investigation was officially launched after several Eataly employees, who also made purchases at the store, found fraudulent charges on their credit cards, PYMTS reported
Silicon Valley Groups to Obama: Leave Encryption Alone
Phil MuncasterUK / EMEA News Reporter , Infosecurity Magazine
Two major hi-tech industry groups have written an open letter to president Obama asking the administration to reconsider any policies it may be cooking up to weaken encryption in order to aid law enforcement efforts.
The Information Technology Industry Council (ITI), which describes itself as the “voice of the tech sector,” and the Software and Information Industry Association (SIIA) count some of the most powerful technology companies on the planet as members.
These include Microsoft, Lenovo, Facebook, EMC, Google, Oracle, Sony and Symantec.
The letter explained patiently the importance of strong encryption as an “essential asset of the global digital infrastructure,” engendering consumer trust in the confidentiality of services and transactions.
The letter continued: “We appreciate that, where appropriate, law enforcement has the legitimate need for certain information to combat crime and threats. However, mandating the weakening of encryption or encryption ‘work-arounds’ is not the way to address this need. Doing so would compromise the security of ICT products and services, rendering them more vulnerable to attacks and would erode consumers’ trust in the products and services they rely on for protecting their information.”
The letter added that if the US decides to push ahead with such a policy it would “legitimize” similar efforts by other states, threatening global markets and diminishing civil liberties.
The Obama administration has become increasingly vocal and hostile towards strong encryption.
Just last week, FBI assistant director Michael Steinbach called in a House committee hearing for a new law to enable law enforcers to access encrypted comms if they’ve received prior consent from a court.
This follows similar calls in the past from other senior officials including attorney general, Eric Holder, and FBI chief James Comey.
In the UK, prime minister David Cameron was widely criticized for making similar remarks ahead of the last general election.
Now that his Conservative party have won an outright majority in the Commons, commentators believe it will try and reintroduce the hugely controversial ‘Snooper’s Charter’ bill which would, among other things, address the problem of access to encrypted comms.
Cybercrime Can Give Attackers 1,425% Return on Investment
Going rates on the black market show ransomware and carding attack campaign managers have plenty to gain.
While security professionals often find it difficult to prove return on investment, a standard ransomware campaign could earn an attacker a 1,425 percent ROI, according to a report released today by Trustwave.
"We're showing what the motivation for and value of a cybercrime is," says Charles Henderson, vice president of managed security testing at Trustwave. "To my mind, if you're going to defend against cybercrime, you need to understand" the attackers' motivation.
Trustwave's report is based on study of the black market cybercrime economy and direct investigations of 574 data breaches across 15 countries in 2014.
Sponsor video, mouseover for sound
Trustwave calculated the ransomware ROI based on the following:
Costs of a ransomware payload (CTB Locker in this example), infection vector (RIG exploit kit, which was most common), camouflaging services (encryption), and traffic (20,000 visitors) totaled $5,900 per month.
Earnings for a 30-day campaign, assuming a 10 percent infection rate, a payout rate of 0.5 percent, and a $300 ransom, would total $90,000.
That's a profit of $84,100 and a ROI of 1,425 percent.
"The black market is very transparent," says Henderson. "You can look for a good deal ... just as any mercantile or purveyer of goods."
Poorly secured point-of-sale systems, the high black market value of track data, and the quick turnaround on stolen cardholder data have also made the carding business very popular -- particularly against targets in North America, where EMV adoption is so low.
Overall, 42 percent of the incidents Trustwave investigated were on e-commerce assets, 40 percent on PoS system, and 18 percent on internal networks. In North America, 18 percent were e-commerce, 65 percent PoS, and 17 percent internal networks.
Although 49 percent of breaches did involve theft of PII, track data was targeted even more often, in 63 percent of attacks.
This demand for cardholder data and the ease of getting it has affected the industries that hackers are honing in on. The top three industries targeted in 2014 were retail (43 percent), food and beverage (13 percent), and hospitality (12 percent). Ninety-five percent of the attacks in the food and beverage industry and 65 percent in the hospitality industry were from PoS systems.
Nearly all of the PoS breaches were the result of weak passwords (50 percent) and weak remote access controls (44 percent).
E-commerce compromises, on the other hand, were quite different. While only 8 percent come from weak passwords and 17 percent from weak remote access security, 42 percent result from weak or non-existent input validation and 33 percent from unpatched vulnerabilities. The web server vulnerabilities most popular with opportunistic attackers were the WordPress pingback DDoS (30 percent), cross-site scripting (25 percent), and the ShellShock Bash bug.
Trustwave also examined how different types of financially motivated threat actors make money on cybercrime, distinguishing between targeted attackers and opportunistic attackers.
Targeted attackers choose a specific set of targets, and then find out where the potential victim is vulnerable and how to compromise it. Opportunistic attackers approach things from the opposite direction; they learn about a vulnerability, then look for targets that are vulnerable to it.
Trustwave found that both categories of attackers may go after e-commerce sites, for example, but they'll have different post-exploit purposes.
"I see the opportunistic attackers as the serial entrepreneurs," says Henderson. "Someone who's looking to build any business" as opposed to just an auto shop or technology firm or clothing line. "Very nimble, but not very particular."
Opportunistic attackers tended to monetize their efforts by installing webshells and backdoors and redirecting users for search-engine optimization or installing IRC clients for botnet recruitment, according to the report. In addition to being cybercriminals they are also cybercrime service providers.
Targeted attackers, rather, have a methodology and a business plan that they're committed to, says Henderson.
Targeted attackers tend to go after specific high-value sites and steal payment card data. (Service providers for travel booking sites have become a popular target for this reaon, according to the report.) Attackers then monetize it by selling cardholder data, selling goods purchased with that data, or using money mules to transfer money out of compromised accounts to attacker-owned accounts. Other findings
Trustwave's scanners also found that 98 percent of applications had vulnerabilities.
"It's both surprising and unsurprising," says Henderon. "Surprising in the sense, that there's a difference in knowing application security isn't where it needs to be and seeing a hard number like that."
Plus, "Password1" was the most common password.
"You would think it would be blacklisted," says Henderson. "Not the case."
Most breaches were detected by third parties -- 58 percent by regularory bodies, card brands and merchant banks, 12 percent by law enforcement, 4 percent by consumers, and 7 percent by other parties.
However, that slim 19 percent of organizations that self-detected breaches discovered and contained them far more quickly than third parties did. The median time from instrusion to containment for externally detected compromises was 154 days; for self-detected compromises just two weeks (14.5 days to be exact).
"The ongoing security programs that include managed security providers, extensive teams in-house, and regular proactive security testing, these are the companies that detect their own intrusion," says Henderson. But those are also the types of companies that tend to prevent intrusions, he says. Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
White House Calls For Encryption By Default On Federal Websites By Late 2016
Just 31% of federal agencies today host HTTPS websites and the Office of Management and Budget (OMB) has now given the rest of the government a deadline for doing so.
In yet another step toward making Internet encryption the new normal, the White House has instituted a new policy requiring all federal agencies to use HTTPS for their public-facing websites by the end of next year.
To date, only 31% of federal agencies run encrypted, HTTPS websites, including whitehouse.gov, cia.gov, nsa.gov, and omb.gov. Interestingly, dhs.gov and fbi.gov are among the agency websites that are not HTTPS-enabled as yet, according to a federal website that tracks and grades HTTPS adoption among agencies.
The OMB first recommended the HTTPS-only policy in draft form in March, and this week's announcement solidifies the plan with guidance and a December 31, 2016, deadline for adopting encrypted website communications via the standard.
Sponsor video, mouseover for sound
Tony Scott, the administration's federal chief information officer, said in the new policy memorandum that all publicly accessible federal government websites and web services must deploy secure connections between the client and website via HTTPS, the Hypertext Transfer Protocol Secure.
"Private and secure connections are becoming the Internet's baseline, as expressed by the policies of the Internet's standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public," Scott said in the announcement.
"Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security," he said.
The US government's encrypted website policy comes on the heels of a wave of SSL/TLS-related moves in the industry, including major websites including Facebook, Twitter, and LinkedIn, going encrypted in an age of privacy and security concerns. Google is even giving HTTPS sites a ranking boost. The Internet Activities Board (IAB) -- which oversees the Internet's architecture, protocols, and standards efforts, last November officially called for encryption to be instituted throughout the protocol stack as a way to secure information exchange, and provide privacy.
IAB chairman Russ Housley also urged developers to deploy encryption by default, and for network and service providers to add it as well to their offerings.
"Web security is in a dismal state," says Jeremiah Grossman, co-founder of WhiteHat Security. "This is a step in the right direction" for the feds, he says.
The catch, however, is just how such a massive number of agencies with large numbers of web pages and sites will manage their SSL/TLS certificates. It's unclear whether the feds will serve as their own certificate authority or not -- that information was not included in the policy. Efforts to reach the OMB prior to press time about the CA were unsuccessful.
"They're going to have a crypto challenge. How are they going to do key management, agency by agency? They're going to run into logistics issues, having expiring SSL keys," for example, Grossman says.
Grossman says despite the inherent challenges of getting HTTPS everywhere in the government, the new policy is a "win for everybody." [Internet Architecture Board chairman Russ Housley explains what the IAB's game-changing statement about encryption means for the future of the Net. Read Q&A: Internet Encryption As The New Normal.]
The White House encryption policy also comes amid the backdrop of a bitter battle between the FBI and the White House with members of the technology community over backdoors to encryption for helping law enforcement fight crime and terror. Members of the Information Technology Industry Council and the Software and Information Industry Association today penned a letter to President Obama in protest of any policies that would allow for such backdoors. No Fix For Hacks
HTTPS does not, of course, prevent website hacks or other security events -- a caveat Scott included in the OMB policy document.
"HTTPS-only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation," he said. "Similarly, if a user's system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker's control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities."
The administration's guidelines for HTTPS deployment calls for all new federal agency websites and services to be HTTPS from the get-go. It recommends HTTPS for intranets as well, but isn't requiring it. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Richard L. Cassin
#/media/File:Backlit_keyboard.jpg){kind=link}