Agency Security Poor, Hack Enevitable

Tuesday, June 9, 2015 @ 05:06 PM gHale


Security at the U.S. Office of Personnel Management (OPM) was so bad they knew they had to fix it and fast. The problem was, bad guys knew their security was poor and they were able to access personal information for around 4 million federal workers, 2.1 million of which are apparently current employees.

A report that came out prior to news of the attack detailed security weaknesses of the OPM’s IT security program, including the fact 11 major OPM information systems are operating without a valid authorization; the Office does not maintain a comprehensive inventory of servers, databases, and network devices; it does not routinely scan systems for vulnerabilities, and does not adequately monitor all systems.

RELATED STORIES
IoT Prevalent, Opens Network to Attack
Industrial Security: A CEO’s Perspective
Realize IIoT Benefits
SCADA Attacks Continue to Rise

While this is a government installation, how many manufacturing automation companies can say they have a security program that keeps them aware of any types of potential intrusions on the system?

“OPM services the Federal workforce so the affected population includes Executive Branch agencies and employees,” the OPM said.

Employees in the legislative or judicial branch have not suffered from the intrusion, nor have any military records. “No contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.”

According to Reuters, the stolen data included security clearance information and background checks dating back to 1985. An internal memo they managed to peruse said no State Department employees ended up affected, as their data is not on the hacked OPM systems.

The intrusion occurred in December 2014, but first came to light in April 2015, when the OPM was in the process of “aggressively” updating its cyber security posture and adding tools and capabilities to its networks.

OPM’s security update likely came as a direct consequence of a report the inspector general issued in November 2014.

The report details the many security weaknesses of the OPM’s IT security program, including the facts that eleven major OPM information systems are operating without a valid authorization; the Office does not maintain a comprehensive inventory of servers, databases, and network devices; it does not routinely scan systems for vulnerabilities, and does not adequately monitor all systems.

The audit ended up conducted from April to September 2014. In July 2014, officials discovered OPM’s networks suffered a penetration by attackers in March.