Congress earlier this month lowered the hammer on the U.S. Office of Personnel Management in a report on the massive data breach that resulted in the theft of 4.2 million former and current government employees’ personnel files, as well as 21.5 million individuals’ security clearance information, including fingerprints associated with 5.6 million of them.
“The lax state of OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise,” notes the House Committee on Oversight and Government Reform’s report.
“The agency’s senior leadership failed to fully comprehend the extent of the compromise, allowing the hackers to remove manuals and other sensitive materials that essentially provided a road map to the OPM IT environment and key users for potential compromise,” it states.
Among the report’s suggested remedies to prevent future data breaches are a recommendation that the federal bureaucracy move to a “zero trust” model of security.
Trust No One
The OPM data breaches show the challenges of using perimeter defenses to protect high-value data, according to the report.
“In both cases the attackers compromised user credentials to gain initial network access, utilized tactics to elevate privileges, and once inside the perimeter, were able to move throughout OPM’s network, and ultimately accessed the ‘crown jewel’ data held by OPM,” it notes.
The Zero Trust model would be an effective way to protect government networks, the report suggests.
“The zero trust model centers on the concept that uses inside a network are no more trustworthy than users outside the network. The zero trust model requires strictly enforced user controls to ensure limited access for all users and assumes that all traffic traveling over an organization’s network is threat traffic until authorized by the IT team,” it explains.
Night Club Model
The zero trust model emerged as it became increasingly apparent to security pros that trying to protect information assets with only perimeter defenses — like firewalls — was becoming less and less effective.
“Many traditional approaches to network security resemble a night club,” observed Alfred Chung, senior product manager at Guidance Software.
“There may be heavy security at the door and big scary guys checking the list, but once someone gains entry — authorized or not — they have almost unfettered access to what’s inside,” he told TechNewsWorld.
Hackers love perimeter-only defenses, said Cryptzone Chief Security Officer Leo Taddeo, a former FBI special agent.
When he was head of the cyberdivision for the FBI in New York City, “nearly every intrusion case we investigated began with a malicious actor obtaining a foothold inside the perimeter,” Taddeo told TechNewsWorld.
‘Technical Fundamentalism’
Although zero trust is designed to address the deficiencies in a perimeter-only strategy, it has its deficiencies.
“A zero trust model of security is a form of technical fundamentalism, where you stretch one idea — such as security — to an extreme, and compromise every other goal to the idea,” said Vishal Gupta, CEO of Seclore.
“It is laden with high costs, inconvenience to the end users, and high IT and administrative overheads,” he told TechNewsWorld.
What’s more, it can be difficult to extend zero trust principles outside an organization.
“With third-party breaches on the rise, government contractors and subcontractors also carry a large amount of risk,” explained BitSight Technologies Vice President of Business Development Jacob Olcott, former counsel to the U.S. House Homeland Security Committee.
“The government can monitor their own employees, but they cannot necessarily apply a zero trust policy to the employees of contractors and subcontractors,” he told TechNewsWorld.
Sluggish Decision Making
For those dissatisfied with the speed of government decision-making now, zero trust could be an additional irritant.
With zero trust, all traffic is untrustworthy and requires thorough inspection, and all behavior is untrusted until validated, explained Rob Potter, vice president for the public sector at Symantec.
“This level of inspection and monitoring requires both additional capability and increased time to access and delivery,” he told TechNewsWorld.
“As a result, many organizations may see increased cost and impacts to the time it takes to access, share and update data. This in turn could have an impact on systems or processes that drive decision making in the government,” he said.
“It would be more productive to go back to pen, paper and fax machines than implementing zero trust policies, since it will kill productivity and likely bring things to a halt,” suggested Young-Sae Song, vice president of marketing at Arctic Wolf.
Zero trust is impossible to achieve, he maintained, due to the “who’s watching the watchers?” problem.
“At some point, somebody has to be trusted with the keys to the kingdom,” he told TechNewsWorld, “and there is no way to guarantee that person will not be compromised.”
Breach Diary
- Sept. 3. Variety confirms its content management system breached by OurMine, a hacker group known for exposing vulnerabilities in websites so they can be fixed.
- Sept. 5. Data breach exposed 790,724 accounts for porn site Brazzers, Motherboard reports.
- Sept. 5. Information from 7 million accounts stolen from gaming site Lifeboat in January have been posted to the Dark Web as a free download, Hackread reports.
- Sept. 6. 100 million records belonging to Rambler.ru, Russia’s Yahoo, have been leaked online, Leakedsource reports.
- Sept. 6. A hacker called “DoubleFlag” is selling online a file containing information on more than 500,000 accounts stolen from BitcoinTalk in May 2015, The Merkle reports.
- Sept. 6. Banks and financial institutions file class action lawsuit in Colorado against Noodles & Company, related to data breach that put at risk all customers who used their payments cards at the chain’s locations between Jan. 31 and June 2.
- Sept. 6. Owen Smith, who hopes to lead the UK’s Labour Party, exposes confidential information about the phone bank system for Parliament when he posts photo to Twitter with background showing his username and password for the system.
- Sept. 7. U.S. House Oversight & Government Reform Committee releases report on Office of Personnel Mangement data breach in which information, including fingerprints, was stolen.
- Sept. 7. Hitsniffer, a UK-based analytics company, has taken itself offline after a former employee steals the firm’s customer database and begins contacting those customers on behalf of another company, SC Magazine reports.
- Sept. 8. Protenus reports 8.8 million healthcare records were breached during August.
- Sept. 8. White House announces Brigadier General Gregory J. Touhill as first federal Chief Information Security Officer.
- Sept. 8. Hack against vDOS, which offers Distributed Denial of Service attacks as a service, exposed information on tens of thousands of customers and their targets, Brian Krebs reports.
- Sept. 8. Breach of Russian instant messaging service QIP.ru compromised 33.4 million accounts, Softpedia reports.
- Sept. 9. An online database associated with a website used to preview movies before they’re released by Hollywood was exposed to the public Internet without an administrative password for an undetermined amount of time, MacKeeper researcher Chris Vickery reports.
Upcoming Security Events
- Sept. 21. Industrial Cyber Security — What You Don’t Know Might Hurt You. 2 p.m. ET. Webinar by Tripwire. Free with registration.
- Sept. 21. New York Cyber Security Summit. Grand Hyatt New York, 109 E. 42nd St., New York, New York. Registration: $250.
- Sept. 22. Reclamere Conference on Emerging Healthcare Data Security Issues. 8 a.m. – 5 p.m. The Ben Franklin Institute, Innovation Park, 200 Innovation Blvd., Suite 101, University Park, Pennsylvania. Free.
- Sept. 26-28. The Newport Utility Cybersecurity Conference. Pell Center and Ochre Court, Salve Regina University, Newport, Rhode Island. Registration: before July 26, $1,200; after July 25, $1,600.
- Sept. 27. Prevent Account Takeover (without Making Customers Hate You). 10 a.m and 1 p.m. ET. Webinar by Iovation. Free with registration.
- Sept. 27-28. SecureWorld Dallas. Plano Centre, 2000 E. Spring Creek Pkwy., Plano, Texas. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Sept. 29-30. B-Sides Ottawa. RA Centre, 2451 Riverside Drive, Ottawa, Canada. Free with registration.
- Oct. 5-6. SecureWorld Denver. Colorado Convention Center, 700 14th St., Denver. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Oct. 5-7. APWG.EU eCrime Symposium 2016. Slovensk sporitelna, Tomsikova 48, 831 04 Nov Mesto, Bratislava, Slovakia. Registration: APWG members, 129 euros; student or faculty, 129 euros; law enforcement and government, 129 euros; all others, 149 euros.
- Oct. 7-8. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Delaware. Free.
- Oct. 8. B-Sides Denver. SecureSet, 3801 Franklin St., Denver. Free, but tickets limited.
- Oct. 11. Your Credentials Are Compromised, So Now What? 1 p.m. ET. Webinar by Centrify. Free with registration.
- Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Non-member, $925; single day, $500; student, $80. Oct. 14-16. B-Sides Warsaw. Panstwomiasto, Andersa 29, Warsaw, Poland. Free.
- Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
- Oct. 18. IT Security and Privacy Governance in the Cloud. 1 p.m. ET. Webinar moderated by Rebecca Herold, The Privacy Profesor. Free with registration.
- Oct. 18-19. Edge2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before Aug. 15, $250; after Aug. 15, $300; educators and students, $99.
- Oct. 18-19. SecureWorld St. Louis. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
- Oct. 20. B-Sides Raleigh. Marbles Kid Museum, 201 E. Hargett St., Raleigh, North Carolina. Registration: $20.
- Oct. 27. SecureWorld Bay Area. San Jose Marriott, 301 S. Market St., San Jose, California. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
- Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before Sept. 3, Pounds 1,199 with VAT; before Oct. 29, Pounds 1,559 with VAT; after Oct. 28, Pounds 1,799 with VAT.
- Nov. 9-10. SecureWorld Seattle. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Nov. 28-30. FireEye Cyber Defense Summit 2016. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: through Sept. 30, general admission, $495; government and academic, $295;Oct. 1- Nov. 21, $995/$595; Nov. 22-30, $1,500/$1,500.