Last week, over 4 million people had their PII (Personal Identifying Information) exposed. Suggestive humor aside, this is still scandalous as this breach came by way of the Office of Personnel Management (OPM – the government’s HR department), an agency supposedly being protected under the watchful eye of the Department of Homeland Security’s (DHS) $4.5B National Cybersecurity and Protection System (NCPS), aka “Eienstein”. I’m sure that the real Einstein would be horrified to know that his good name was being sullied by a multi-billion dollar boondoggle. Adding insult to injury, the PII exposed wasn’t your “run of the mill” variety either – OPM databases housed information on security clearance investigations which also contains information on family, neighbors and close associates of any government employee who went through that process – meaning a lot more than “just” 4 million people were affected. Not quite disturbed enough yet? The OPM data infrastructure was housed in a “shared data center” which provided services to many more government agencies, all of whom could have been breached as well. US government officials have made noises that the Chinese are to blame, and of course, China called those allegations “irresponsible” and “baseless”.
What this means for you:
What this event demonstrates is that stupid amounts of money can’t buy security if you are always playing catch-up. DHS’s Einstein is only able of detecting attacks that have been seen before – it’s basically a monstrously expensive filter that looks for “signatures” that are based on – that’s right – previous attacks. Once the hack gets past the gate and they are able to “own” the system by using legitimate credentials (either stolen or created through their initial hack), the attackers can transact business through normal protocols and transactions, making detection extremely difficult. It’s the equivalent of looking for a needle on a conveyor belt full of hay – and you don’t know even know what the needle looks like, other than “not hay”. It seems that we will need a real Einstein to develop a system that can detect attacks that have never been seen before.
I can hear you say, “If the government can’t secure themselves with $4.5B, how am I supposed to do it with my modest means?” Well, if a nation-state is targeting your organization, probably no amount of money you could reasonably spend is going to protect you. Fortunately, nation-states and advanced persistent threat (APT) groups usually have bigger fish to fry. The “garden-variety” malware you and your employees will encounter can be stopped by a combination of up-to-date antimalware software, a good firewall, and training. In the case of our government, technology advances are hampered by an alphabet-soup of bureaucracy and glacial culture adoption, something attackers count on. Don’t let red tape slow down your organization on this issue – security should be at the top of your list and a budget priority, no matter your industry or size.