Amid worsening OPM hack, new questions about accountability
The Office of Personnel Management — the recent victim of a massive data breach that may have compromised the personal information of as many as 14 million federal workers and retirees — reported major security gaps to the Department of Homeland Security as part of the annual audit required by the Federal Information Security Management Act.
Those security gaps not only went unnoticed as hackers were infiltrating the OPM network for more than a year but also affect more than a dozen other federal agencies.
OPM’s last FISMA report shows that the agency had no remote access connections configured for malware scanning or for forcing users to re-authenticate after a session timed out. The agency reported the deficiencies to DHS via CyberScope from Oct.1, 2012, to Sept. 30, 2014.
“It shows how ripe they were for this,” said a former federal information security official, who spoke to FedScoop on condition of anonymity. “This is going to ripple through government. Basically, there should be some resignations on this, if not firing. Someone should have jumped up and down. The data was there to show OPM was high risk. It was easy to get in because of the poor authentication mechanism,” the former official said.
“Agencies which have the weakest authentication profile allow the majority of unprivileged users to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering,” the 2014 FISMA report states. “The following 16 agencies fall into this category: State, Labor, HUD, OPM, NRC, SBA, NSF, USAID, USDA, Energy, DOT, Interior, VA, Justice, Treasury, and NASA.”
FedScoop was among the first news outlets to report new concerns raised Thursday by the American Federation of Government Employees that the initial estimate of 4 million victims may be much higher. In a letter to OPM, the AFGE said it believes the breach may have compromised personal information belonging to every current and retired federal employee, putting the number of potential victims near 14 million.
The White House responded late Friday to the worsening security situation with a summary of its so-called “30 day cybersecurity sprint.” According to the fact sheet released by the White House, agencies must:
- Immediately deploy indicators provided by the Department of Homeland Security (DHS) regarding priority threat-actor Techniques, Tactics, and Procedures to scan systems and check logs. Agencies shall inform DHS immediately if indicators return evidence of malicious cyber activity.
- Patch critical vulnerabilities without delay. The vast majority of cyber intrusions exploit well known vulnerabilities that are easy to identify and correct. Agencies must take immediate action on the DHS Vulnerability Scan Reports they receive each week and report to OMB and DHS on progress and challenges within 30 days.
- Tighten policies and practices for privileged users. To the greatest extent possible, agencies should: minimize the number of privileged users; limit functions that can be performed when using privileged accounts; limit the duration that privileged users can be logged in; limit the privileged functions that can be performed using remote access; and ensure that privileged user activities are logged and that such logs are reviewed regularly. Agencies must report to OMB and DHS on progress and challenges within 30 days.
- Dramatically accelerate implementation of multi-factor authentication, especially for privileged users. Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems. Agencies must report to OMB and DHS on progress and challenges within 30 days.
This is a developing story and FedScoop will provide more coverage as events dictate.