Sunday, January 15, 2017

Preventing OPM-Like Sensitive Information Spillages

In September 2016, the Committee on Oversight and Government Reform, U.S. House of Representatives, 114th Congress finally released what we’ve all been waiting for, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Wow, about time.

In a recent CSO Online article, The OPM breach report: A long Time Coming , Taylor Armerding summarizes congressional report and the national frustration with the entire fiasco. In fact, both report and article titles pretty much sum up how America feels about the Chinese exfiltration of personal data.

If you want to know the details of the event, please read the article and report as both are fascinating.  They explain very well how this incident will impact security cleared US citizens for generations; literally.

Readers in our career field (those of you reading this article) who are Facility Security Officers for cleared defense contractors, government employees, or other security practitioner under the national industrial security program (NISP) may experience additional frustrations in addition to those shared by the referred report and article.

Frustrations expressed from other sources:

My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there---James Comey, Director of the FBI

“(The SF-86) gives you any kind of information that might be a threat to ) the employee’s) security clearance.”---Jeff Neal, Former DHS official

Frustrations not nationally expressed:

The additional frustrations is grounded on the fact that the Office of Personnel Management conducts security investigations, collects very personal information from interviews and reports, contracts investigators who communicate the information, and stores the information. The data collected on each person and the compilation of that information warrants a robust security policy to protect personal identifiable information.

Keep in mind, OPM is one of the agencies that require industry to undertake intense security training in protecting PII, practicing cybersecurity, reporting security violations, detecting and denying insider threat, and so on. While cleared defense contractors are complying with training requirements, undergoing security reviews, and demonstrating security programs to protect classified information on information systems, compliance with DFARS requirements concerning computer networks, OPM was negligent in practicing what they preached.

The report lists OPMs failures to protect the network and sensitive information and slow reaction to both the attack and reporting requirements.  Additionally, while contractors are required to conduct investigations of security violations, determine cause, and as necessary, practice disciplinary action, no one has been fired as a result.

Imagine what would happen if a defense contractor networked was hacked and the following information was infiltrated:

Employee information including:
·         Current and past addresses
·         Security violations
·         Mental health counseling
·         Alcohol and drug dependency
·         Marital problems
·         Credit history

Get the picture? The employees would sue and the oversight agencies would review and report circumstances. Chances are that the responsible parties would be terminated.

According to the report, the cyberattack issue was detectable, preventable, and actionable, but OPM failed on all three.

Lesson for FSOs and security practitioners
Become cyber-aware…become involved in cybersecurity. It’s not necessary to become an expert, just understand. Many FSOs are great at the physical security requirements for PII, classified information, export controlled and other tangible items requiring clearance and / or need to know enforcement. It’s not too much of a leap to relate physical security requirements to that of protection of information on networks or stand alone computers.

Our profession has to become more involved in cybersecurity other than advising “don’t open attachments”, “only conduct company business on the computer”, and the standard slogan heavy or bumper sticker appropriate language. FSOs should become informed of how to respond to different threat categories and access points and provide cutting edge security awareness and security refresher training.

Applying the knowledgeable security focus:
Read, learn, discuss with IT and network professionals how the importance of programs to deny, deter, detect, observe, and report cyberattacks.  Here are some physical security fundamentals that can be applied for immediate cybersecurity action:
Though the reader may not be an expert, they can form a team from IT and all business units to accomplish the task.  This is the same exercise physical security and loss prevention practitioners’ use; or at least they should:

Determine what needs to be protected

Identify sensitive information on the enterprise network. Every business unit has a piece in the puzzle; program managers, accounting, personnel, contracts, etc.  Involve all aspects of the enterprise in the exercise.

Determine where the information exist

Is the information on an internal or external network? Which one(s) On a standalone computer? Document all locations

Determine who needs access to the information

Limit access to the networks, folders or locations based on who is authorized to use it.
Do program managers need financial information related to other contracts? Does the CFO need intimate software development details? If yes, ensure they have access, if not deny access.

Determine threats to the information

The obvious threats are the trusted employees and external hackers. These categories are the bare minimum necessary to cataloging the threat. Ask, how can the internal threat access information? How can the external hacker access the information?

So far so good right? Well, it becomes more technical from here and it where you might need an advisor, consultant or other help.

Determine how to deny, detect, report, and monitor systems for cyberattacks.
This requires skill to buy the right technology or hire the right employees.

Document all actions and provide report to senior management.
Programs do not live long without senior management buy in. Since we recommend forming a team, use the team concept to develop and maintain momentum. Provide recommendations to the key management personnel, get approval, and have them champion the program to senior objects. Change management may be in order.

Hopefully, this article provides thought provoking and imagination stoking ideas to help develop a security system that includes cyber consideration. The referred report demonstrates and quantifies an active adversary with a demonstrated history of attacking high level government agencies; as well as the poor action of those responsible for preventing access to sensitive information. None are immune, but all are responsible. Our profession exists in the defense industry. Our national security depends on doing everything we can to be aware of, train for, and respond appropriately to all threats.

No comments: