Several things stand out in this good technical recap of the OPM breach at Ars. It is disheartening (if not surprising) to IT sec professionals to read things like:
“just 75 percent of OPM’s systems had valid authorizations to operate under Federal Information Security Managenent Act (FISMA) regulations”
“OPM does not maintain a comprehensive inventory of servers, databases, and network devices. In addition, we are unable to independently attest that OPM has a mature vulnerability scanning program”
“a malware package—likely delivered via an e-mail “phishing” attack against OPM or Interior employees—managed to install itself within the OPM’s IT systems and establish a back-door for further attacks”
“agencies didn’t even know how many Internet gateways they had, let alone what was going out over their ISP connections”
Which, to summarize, means that IN THIS DAY AND AGE users with elevated rights still want to and get to click on phishing messages, rather than access legitimate OPM systems (i.e. do their job) which, themselves, are only 75% compliant. (And, remember, “compliant” and “secure” are two very different things.) But how do you expect to secure a network that isn’t even inventoried? Or monitor ingress points if you can’t tell how many Internet connections you have?
So far, appallingly bad and not even a silver lining in sight. That isn’t the part I cannot decide whether there is good to come from this.
However, in this follow-on piece, it appears that this breach was uncovered not by the vaunted Einstein (no irony here) Fed-built IDS/IPS system but through a vendor demo. So, bad news that OPM would allow a vendor off the street to scan their production network during a demo, but good news that at least they were looking at alternatives, which did find the breach. The silver lining there is that getting outside vendors to take a fresh look may help uncover those breaches more quickly.