Last year more than 20 million government employees, contractors and their families were hacked. The Office of Personnel Management is now trying to fix some of their cybersecurity gaps during a six-week cyber sprint led by Federal Chief Information Officer Tony Scott.
In this month’s DorobekINSIDER Live, “Cybersecurity: Lessons From the OPM Hack,” Chris Dorobek decided to take a deeper look at the attack and the government’s response. He spoke with three cyber experts about the OPM hack. During the discussion, our experts uncovered lessons from an extreme data breach, and tips to prevent any such attack from happening again.
The speakers were:
- Jeffrey Carr, Author of Inside Cyber Warfare: Mapping the Cyber Underworld
- Stewart Draper, Director of Insider Threat, Securonix
- Allen Zeman, PhD, Founder of TMGov and President of CHCI
The Magnitude of the Data Breach
Roughly 20 million accounts of former and current government employees were taken, which includes a vast amount of personal history. Both Zeman and Carr had their data compromised in the breach. Carr was a former member of the U.S. Coast Guard and Zeman had worked for the federal government in various ways.
Both speakers had a history with filling out SF-86s: a mandatory form needed to obtain a security clearance. Carr reminds us that it’s “not just a name and social security number” that is required on these forms, but important information concerning family members’ addresses, careers, and more are also included. Draper emphasizes the impact and strain this can have on families because they are also listed on the SF-86 forms. He believes that a breach of this kind will effect “generations of people” because the information that was obtained cannot be simply changed or altered.
A lot of us find the reaction time of OPM to be rather upsetting. However, Draper explains that the reaction time here is, “really not that much of a surprise. Detection can be difficult with more viruses that come up on a daily basis and with tens of thousands of attempts on a weekly basis-there are different avenues of central detection and they can vary so much.”
Carr expanded on the idea of a daily battlefield in the cyber realm by highlighting that “it is much more likely that they are perpetually in a state of breach.” He provides the following statistic: the estimated time from when the attacker gets access to when the attack is discovered averages out to about year.
Although there was some debate amongst the speakers on whether or not the OPM hack was a classic case of not having enough funding to help prevent such an attack, there was a streamline consensus that the hack showed signs of systematic incompetence, organizational failure, and mismanagement of the organization as a whole.
So what should we learn from the biggest and most devastating cyber attack known to the modern world? First off, Carr reminds us that it is important to remember, “nobody can keep bad guys out of their network. You can make it difficult, but if an attacker is determined, it will happen.” However, he personified the cyber threat by explaining that there is a comparison to be found with our human anatomy and to that of Internet networks. “Our bodies walk around with germs and viruses that are dormant in our system, [but they are being] defended by our white and red blood cells on a daily basis. We are not clean organisms and neither are networks. The goal is not to keep bad guys out. The goal is to protect your vital interest in a way that it doesn’t matter if there are bad guys in your network.” And there are ways to help minimize, if not prevent, such attacks from occurring. Which brings us to basic cyber hygiene.
Draper stresses the importance of basic cyber hygiene. “The fundamentals of good information security cannot be overlooked: educational awareness for employees.” Basic cyber hygiene can be better understood if you think of it as good information security and some of the ways one can go about it is by simple educational awareness. Training and educating your employees on how to detect things such as spear phishing is a small step towards protecting your data. But rest assured that this small step could lead to big results!
Bottom line here is that cybersecurity is no easy task to comprehend, let alone defend. Draper explained these hackers are, “constantly probing-constantly trying to get in.” However, every agency and company out there can supply his or her employees with the necessary cyber hygiene training to combat any potential cyber adversary. Additionally, remember that organizational management plays a significant role in ensuring that there is a good flow of communication within the company. Good organizational management is a must in combatting the cyber war that is a constant in today’s world.