Why Years of Security Neglect Caught up With the Government

Posted by Rob Williams on Tue, Aug 18, 2015 @ 12:54 PM

Last week, I touched on the hack that took place at the United States Office of Personnel Management (O.P.M).  rsz_security_neglect

I didn’t get the chance to dig into that story much further than simply listing the incident as an example of a high-profile cyber-attack. But it goes beyond that. This incident is a prime example of security neglect gone wrong.

According to ARS Technica, it took months for anyone at the White House to catch wind of a remote attack targeting the O.P.M. As the article described, “Inertia, a lack of internal expertise, and a decade of neglect at OPM led to the breach.” In fact, it took another OPM breach to lead the Department of Homeland Security (DHS) to investigate the more deadly remote attack.

This hack has been described as “the biggest government attack ever.”

All of the information that was hacked into links everybody who has ever worked for, has tried to work for, or currently works for the United States government. The New York Times detailed the information that was stolen, including addresses, health, financial history, and other private details (coming from background checks). Not only were the principal employees affected, but so too were their friends and family. 

In taking a look at exactly what part of O.P.M security defenses was neglected, the issues run all over the place. The Inspector General (IG) identified their security practices as having a “significant deficiency.” This was as recent as last November.

Here are a few of the failure points the O.P.M has experienced:

  • The agency didn’t have internal IT staff with professional IT security experience and certifications
  • Many of the O.P.M. IT programs were handled by agency contractors outside O.P.M’s direct control
  • User accessing systems from outside the O.P.M network didn’t go through multi-factor authentication
  • O.P.M also didn’t have control over how their systems were configured

Add all of these vulnerabilities up and you’ve got the recipe for a monster-sized hack. Considering that a lot of these negligent actions, or inactions, happened over the course of years (going as far back as 2007), it was only a matter of time before this incident occurred.

The scary thing is that it didn’t even take a sophisticated attack approach or sophisticated attackers to pull this off. 

What are some of the lessons other businesses can learn from this story?

Most organizations are not as large or high profile as the federal government, but an outdated security strategy is bad no matter who you are. Relying on a external party to help manage your security is often a good choice, but make certain that they have the technology and know-how to protect your business. 

At Oxford Networks, we can help your business stay current with your approach to security through our partnership with Sophos and their award-winning Next Generation Firewall. Contact us to learn more. 

Topics: Managed Services, Security