“We are very concerned that the agency’s systems will not be protected against another attack.” So concludes the latest audit of the Office of Personnel Management by the U.S. Office of Personnel Management, Office of the Inspector General, Office of Audits.
There is little good news for OPM in this report. They appear to be trying to repair the holes in their network by modernizing it and purchasing some new software, but this modernization project is expected to take at least 5 years. Unfortunately, such prevention plans seem to be based on modes of attack that are currently making the rounds. In 5 years, there will likely be modes of attack that no one can even conceive of now.
The biggest problem seems to be OPM’s dependence on software to solve its problems. As the report points out, “OPM’s production environment contains severely out-of-date and unsupported software and operating platforms. This means that the vendor no longer provides patches, security fixes, or updates for the software.” You really can’t expose your network to exploits more than this.
In OPM’s defense, they must have one of the most complex networks on earth to manage. They are not only connected to other government departments and contractors, but they probably allow millions to access their data through endpoints such as smartphones, tablets, and personal computers. If you want to have sleepless nights, you could do no better than by being part of the OPM security team.
In fact, the major breach discovered last April that exposed millions of records was launched through a contractor, KeyPoint Government Solutions. The attackers stole their credentials and used them to penetrate the OPM network. How this attack actually occurred has never been divulged. However, you’d probably get good odds on it being some sort of spearphishing exploit.
The audit report paints a picture of an agency completely baffled by its own security infrastructure. Here are a few key quotes from the report.
“We determined that only 20 out of 29 systems operated by OPM were subject to adequate security control continuous monitoring activity in FY 2015, and only 10 of the 17 systems operated by a contractor were subject to an adequate annual security control testing exercise.”
“It is irresponsible to allow information systems to operate indefinitely without subjecting them to a thorough security controls assessment, as OPM is doing.”
“Failure to maintain an accurate IT inventory undermines all attempts at securing OPM’s information systems.”
“We have concerns that OPM is not remediating known vulnerabilities in a timely manner.”
“OPM’s lack of comprehensive inventory makes it impossible for us or the OCIO to determine how many servers are not receiving timely patches.”
One key aspect of the report focuses on the use, or non-use, of PIV (Personal Identity Verification) used by the agency. Government employees who want to use the network must have a smartcard which contains specific verifying information. Although 97% of the laptops OPM bought for their agencies require such two-factor authentication, it was found that “throughout FY 2015 there were no controls enforced that require two-factor authentication to connect other devices to the network. In addition, none of OPM’s 46 major applications enforced PIV authentication.” If this means that such devices as smartphones, which are not mechanically constructed to take smartcards, are allowed to access the government network, then the system is wide open for attacks.
The endpoint weakness seems to be true. The report emphasizes that “over the past several years, the agency has procured a variety of tools to help automate efforts to secure the OPM network. However, our audit determined that all of these tools are not being utilized to their fullest capacity, as the agency was having difficulty implementing and enforcing the new controls on all endpoints of the decentralized network.” The agency may want to consider a simpler and more all-encompassing hardware solution that would work with all current operating systems rather than trying to continuously implement, upgrade, and patch numerous software applications that are doing nothing more than exposing the network to attackers via their own vulnerabilities.
There are other problems as well. The report alleges that “OPM cannot effectively track the performance of Cloud Service Providers.” They point out that “only 65 percent of employees identified as having significant security responsibilities have completed special IT training.” And, moreover, they complain that OPM only implemented 13 of the 29 recommendations they made in their last audit (2014); a situation they see as worsening in the year to come.
In short, anyone reading this report would not be surprised to see OPM breached again. The only thing that may stop such a breach is that the attackers may have gotten everything they needed the first time around. However, OPM could still be used as a platform from which to attack other government agencies. The future for attackers is unlimited.