As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.
What this means for you:
Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:
- Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
- Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
- Review the Federal Trade Commission’s recommended actions.
- Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
Last week, over 4 million people had their PII (Personal Identifying Information) exposed. Suggestive humor aside, this is still scandalous as this breach came by way of the Office of Personnel Management (OPM – the government’s HR department), an agency supposedly being protected under the watchful eye of the Department of Homeland Security’s (DHS) $4.5B National Cybersecurity and Protection System (NCPS), aka “Eienstein”. I’m sure that the real Einstein would be horrified to know that his good name was being sullied by a multi-billion dollar boondoggle. Adding insult to injury, the PII exposed wasn’t your “run of the mill” variety either – OPM databases housed information on security clearance investigations which also contains information on family, neighbors and close associates of any government employee who went through that process – meaning a lot more than “just” 4 million people were affected. Not quite disturbed enough yet? The OPM data infrastructure was housed in a “shared data center” which provided services to many more government agencies, all of whom could have been breached as well. US government officials have made noises that the Chinese are to blame, and of course, China called those allegations “irresponsible” and “baseless”.
What this means for you:
What this event demonstrates is that stupid amounts of money can’t buy security if you are always playing catch-up. DHS’s Einstein is only able of detecting attacks that have been seen before – it’s basically a monstrously expensive filter that looks for “signatures” that are based on – that’s right – previous attacks. Once the hack gets past the gate and they are able to “own” the system by using legitimate credentials (either stolen or created through their initial hack), the attackers can transact business through normal protocols and transactions, making detection extremely difficult. It’s the equivalent of looking for a needle on a conveyor belt full of hay – and you don’t know even know what the needle looks like, other than “not hay”. It seems that we will need a real Einstein to develop a system that can detect attacks that have never been seen before.
I can hear you say, “If the government can’t secure themselves with $4.5B, how am I supposed to do it with my modest means?” Well, if a nation-state is targeting your organization, probably no amount of money you could reasonably spend is going to protect you. Fortunately, nation-states and advanced persistent threat (APT) groups usually have bigger fish to fry. The “garden-variety” malware you and your employees will encounter can be stopped by a combination of up-to-date antimalware software, a good firewall, and training. In the case of our government, technology advances are hampered by an alphabet-soup of bureaucracy and glacial culture adoption, something attackers count on. Don’t let red tape slow down your organization on this issue – security should be at the top of your list and a budget priority, no matter your industry or size.