Sergey Nivens - Fotolia


Taking steps to avoid another OPM security breach

The Office of Personnel Management security breach rocked the IT industry. Here's what should be done to make sure it doesn't happen again.

Editor's note: For a different perspective on the OPM security breach, read what Michele Chubirka believes are the lessons learned from the hack and what needs to be done to keep a similar breach from occurring again.

The recent Office of Personnel Management (OPM) security breach amounts to a "worst-case" scenario for the U.S. government -- one with implications that exceed the leak of embarrassing diplomatic cables or the disclosure of details underpinning key weapons systems.

As executives fall on swords and politicians point fingers, how can the understaffed and under-resourced IT systems relied upon by the leaders of the free world be fixed? It won't be easy or inexpensive, but I contend federal IT can be brought up to the standard of security required.

First, though, a lot of sacred cows should become hamburgers. Here is what I would do to prevent another attack like the OPM network breach:

Institute a total internal retraining exercise. As a minimum, every federal employee (IT related or not) should have infosec security 101 awareness training. Anyone directly involved in IT should be given deeper training. Time and again, an individual acting in malice or ignorance is shown to be the weakest link, regardless of how much is spent to improve data security. Yes, the number of non-uniformed federal employees is staggering -- some 2.7 million by last count -- but large-scale training exercises are merely difficult, not impossible.

The availability of systems has been given far more focus than its twin sisters, integrity and confidentiality.

Accept there is no correlation between the dollars spent on security hardware and the actual security of the end system. The efficacy of a security control platform is measured in the strength of its resistance to attack and is expressed by the time or money required to breach it. No security system is invulnerable, but even strong controls are easily undermined by poor, real-world implementation. Web application firewalls are rendered useless by a single pinhole; strong transport security is meaningless without sound authentication schemes. This is why federal certification programs now used to vet vendors must die. The reality is that security technologies move far faster than the bureaucracies they are supposed to protect. Dragging a vendor through a year-long process to certify already obsolete code benefits no one. It's a drain on resources for the vendor (a cost that is ultimately passed onto the taxpayer), kills market competition and reduces choices available to the embattled federal IT manager. By removing these restrictions, product selection is driven by best fit, rather than an oligopoly of legacy vendors with the resources to certify obsolete technologies. The exception to this is cryptographic standards.

Accept that the CIA triad of confidentiality, integrity and availability (spoiler: Not a black ops faction) is an equilateral, not isosceles triangle. The availability of systems has been given far more focus than its twin sisters, integrity and confidentiality. This has led to the expectation that systems must stay up at any cost. I blame the IT infrastructure library (ITIL).  ITIL has made it difficult to implement changes that would maintain the integrity and confidentiality of computer systems. By better balancing the demands of the triad, critical systems patches can be implemented immediately, rather than waiting for the next change-board approved scheduled outage.

So we've abandoned mandatory certification and ITIL. How do we go about ensuring the systems deployed are fit for purpose? By re-renewing and re-engaging the tiger team mentality. Active self-offense is the best form of defense. However, a single impenetrable penetration test is of no use to anyone. The goal of penetration testing in reducing a network attack must shift from "find and report" to "find and fix." This means giving agencies the freedom to act when they find, or are notified, that something is broken. If a system cannot be fixed immediately; then the authorization to shut it down should not cost anyone their job.

Change on this scale will not happen overnight, but it is possible and necessary. The public employees who use these systems may well feel the impact in the short term, but never as much as they might suffer from the OPM security breach.

Ultimately, the recipe to eliminate or diminish a network attack on federal IT is the same as for any other IT arena. Hire good people, pay them well, give them the tools they need, and then get the hell out of their way.

Next Steps

Read about lessons learned from the hack

Finding the security tools you need

Context-aware security gains traction

This was last published in August 2015

Dig Deeper on Network Security Best Practices and Products