Cyber attackers continue to target federal agencies, the most recent being the Office of Personnel Management (OPM). In light of the latest news, we reached out to our partners for thoughts on the latest incidents. In this post, we interviewed Cris Thomas, Tenable Network Security Strategist, and author of “Lesson to Learn from OPM Breach.” Here is what Thomas had to say:
TechSource Editors: Government agencies have been under fire for a long time and have been faced with one cyber attack after another. In fact, according to a recent report presented to Congress by the Government Accountability Office (GAO), cyber attacks have increased by over one thousand percent in the last nine years. OPM was the latest example of this. What lessons can be learned from the OPM breach?
Cris Thomas: OPM was in the process of trying to fix decades of security mismanagement when they discovered the breach. One of the things they immediately implemented was two-factor authentication. This is a strong technology that all organizations should seriously consider using for privileged accounts at the very least if not all accounts. One of the things that allowed the OPM attackers such wide-ranging access was the flat nature of the network, in other words once they compromised one system they pretty much had access to everything. You can help prevent this sort of access by properly segmenting your network and compartmentalizing your data. Another problem at OPM was the wide-ranging administrator level access. Admin or root level accounts should be used sparingly. Access should only be given to those who absolutely need it and only then just enough access for those people to do their jobs. These are basic fundamental steps any organization could and should take. While these steps may not prevent an extensive attack like OPM it would definitely make it much more difficult for the attackers.
TechSource Editors: When it comes to a data breach, it’s not a matter of “if,” but “when.” What best practices should be put into place to prepare agencies for when the next attack occurs?
Cris Thomas: Administrators need to realize they will indeed be breached, whether it is by some yet unknown 0-day, a recently announced vulnerability or something that has been around for months or even years. They will be breached. The defense to such incidents of course is proper planning. Administrators should design networks with the assumption that a breach will occur so as to minimize the impact of the breach. Administrators should try to make it difficult for an attacker to jump from one system to another. They can do this by designing a secure network from the start, deploying technologies such as IDS, IPS, AV, application white listing and other technologies to alert them when bad guys are messing around. They can make sure their patches are up to date and their users are generating strong passwords and disabling default and out dated accounts. By practicing these fundamental basic elements of security, administrators won’t have to worry about each and every 0-day that gets announced because they can rest easy knowing when they do get attacked they will find out about it quickly and be able to minimize its impact.
TechSource Editors: In this video, there are five steps presented as part of continuous network monitoring. Which step do you feel is the most vital? Or which step do you feel is the most overlooked?
Cris Thomas: Conducting a proper inventory is both most important and most overlooked. You can’t protect what you don’t know you have and the only way to know what you have is to inventory it. The days of walking around to each office and writing down serial numbers of desktop computers and making a list of the software installed on them are over. Today you need to know what is running on your network right now, not what the IT department purchased last quarter. With mobile, virtual machines and cloud apps all joint and leaving your network at will you need a solution that can automatically detect devices and applications as they get used on your network. You need to be alerted when someone starts using a virtual machine that hasn’t been patched or starts accessing a cloud application with critical company data in the clear. Many security professionals feel an inventory is a function of the IT Department and not of Security but you can’t protect what you don’t know about.
COMMENTS