It’s hardly a surprise that the U.S. Office of Personnel Management (OPM) was targeted by nation-state hackers, given the sensitivity of the personal information the office stored.
It’s also no shocker that OPM has been successfully infiltrated more than once given the state of its information security programs, according to the findings of OPM’s November 2014 FISMA audit.
While the office did get some positive reviews from the Office of the Inspector General for improving some governance shortcomings, OPM was still a laggard in a number of critical areas.
No details on the intrusion that led to the latest OPM hack have been released, so it’s difficult to determine just which one of the dozen or so weaknesses pointed out by the OIG were exploited, allegedly by hackers tied to China. What is known is that security clearance data going back four decades is likely in the wind, as is personally identifiable information—including Social Security numbers—belonging to four million government workers.
Also, on Friday, researchers at security company iSight Partners connected the OPM hack to previous break-ins at insurance giants Anthem and Premera Blue Cross. The attackers, iSight said, are targeting a wide cut of different personnel information and are likely building a database of federal employees and possibly covert operators, which would be useful in corporate and foreign intelligence espionage.
Veracode vice president of security researcher Chris Eng on Saturday wrote a blogpost where he explained what types of information are collected in a clearance application or background check. Eng said his check was conducted pre-Sept. 11 and that it likely was not as stringent as today’s process would be. But nonetheless, the data is personal and extensive.
“The nature of the questions themselves – digging into every aspect of your social and financial life – have to do with identifying information that might make you susceptible to blackmail or coercion,” Eng wrote. “Now imagine Chinese or Russian intelligence have ALL of that information and they can start using it to identify targets for recruitment. The OPM hack, presuming it does include background investigation as reported by Reuters, is a huge blow to national security.”
The results of the FISMA audit come down hard on OPM in a number of areas. For example, OIG reported that OPM did not have a proper handle on asset inventory, in particular, servers and databases. Also, 11 of its systems are operating without valid authorization that certifies that controls meet security requirements for the system in question. OPM has come up short in this area since 2010.
“The drastic increase in the number of systems operating without a valid Authorization is alarming, and represents a systemic issue of inadequate planning by OPM program offices to authorize the information systems the own,” the report says.
Configuration management policies were not enforced on OPM operating platforms, the report said, and those platforms are not scanned for compliance with configuration baselines. OPM, the report said, also does not have a mature vulnerability scanning program, nor are all systems monitored by its enterprise network security operations center.
Other shortcomings include a lack of two-factor authentication, and a number of contracts between OPM and its security contractors had expired.
A March 2014 hack targeted clearance data as well. Information in those files includes personal and financial data on individuals and families. China was blamed for that break-in as well. OPM said it invested in ramping up its detection capabilities, yet admitted it lagged five months in discovering the most recent break-in, which they believe started in December but was only discovered in April.
A report from the New York Times said the hack happened before all of OPM’s new detection capabilities were fully in place, and that in fact, DHS’s longstanding Einstein signature-based detection system alerted OPM to the breach, an OPM spokesperson was quoted as saying by the Times.