Information security has been top of mind for most CIOs—public or private sector—for some time, and now, in the wake of The Department of Homeland Security’s (DHS) announcement of our government’s largest security breach ever last week, the topic is getting more airtime than ever.
Initial reports indicated that over four million federal employee records were compromised in the hack of the Office of Personnel Management (OPM), but some estimates that the number of compromised identities could rise as far as fourteen million.
The breach gave hackers access to federal employee Social Security numbers, detailed financial and employment information, and psychological profiles. Many have speculated that the highly sophisticated attack was carried about by a state-sponsored hacking organization, and most of the accusations have been aimed at China.
[From Authentify to RSA, Solutions Review rounds up the top 24 Identity and Access Management solutions in the 2015 IAM Solutions Buyer’s Guide. Download your free copy today!]
The methodology of the attack fits the profile for state-sponsored snooping, according to a blog post from Avatier employee and information security industry analyst Thomas Edgerton. “Government spooks collect information for intelligence purposes,” writes Edgerton. “They seek information for extortion, counterintelligence, and advanced phishing. They use it to recruit, blackmail, expose agents, and steal intellectual property.”
The fact that none of the stolen information has turned up on criminal black markets supports Edgerton’s theory.
Shockingly, it has been revealed that the OPM had been operating without any access authorization or encryption capabilities for years prior to the attack, as noted in a report from the US Inspector General last November.
So how could Identity and Access Management (IAM) have helped the OPM avoid or reduce the damage sustained in the attack? In his blog post on IAM vendor Avatier’s website, Edgerton recommends eight IAM best practices to help organizations avoid such an attack:
- Automate user provisioning, deprovisioning, and attestation.
“For starters,” Edgarton recommends that organizations automate and enforce access privileges. “For new hires, assign privileges based on roles, business rules, and workflow automation. For employees who leave, automate privilege removal upon termination.” By automating alerts and reporting to continuously monitor access organizations can prevent unnecessary privileges.
- Engage business owners in governance.
“Only business line managers can gauge and govern actions against actors,” says Edgerton. “Business managers know the specifics. They know who a person is, their job function, peer group, and normal behavior. A sales team spotted the OPM anomalies leading to the breach’s detection.”
- Provide privileged account controls.
Privileged accounts are prominent targets of organized crime and state-sponsored attacks, says Edgerton. “Compromised privileged accounts are generally responsible for the most damaging breaches.” Privileged users are still vulnerable to social engineering and phishing for shared passwords and those risks must be mitigated with a robust set of controls. “Cyber risks from excessive privileges often go undetected indefinitely,” says Edgerton, which can allow intruders to expand their own abilities and privileges via those compromised privileged accounts.
- Require Frequent Password Changes.
Passwords, Edgerton says, are “vulnerable to brute force attacks and spoofing.” To mitigate this risk, organizations must require password changes on a regular basis. By requiring these regular changes for privileged accounts and shared administrator passwords organizations can shrink the window for undetected breaches.
- Enforce strong password policy.
With passwords, complexity matters. Longer complex passwords require more time to crack, writes Edgerton. “Prevent the use of weak passwords across your network and systems. Guard against hacker dictionary assaults. Prepare for brute force attacks. The day will come.”
- Use multifactor authentication.
The Inspector General’s OPM audit recommended multi-factor authentication—using SMS, token or smart card as an added validation— for system access. Edgerton advises that the application of transparent multifactor authentication for critical applications and privileged identities is critical in the modern enterprise or government organization.
- Rotate encryption keys.
A varied rotation of encryption keys is one of the best ways to thwart cyber identity theft, says Edgerton. Organizations should rotate enterprise and database encryption keys manually or on schedule, and must rotate keys as often as data requires or whenever they suspect a compromise.
- Remove abandoned and orphan accounts.
“Unmanaged accounts represent an access risk,” writes Edgerton, and they must be removed from your organization’s servers. “Abandoned accounts are targets for fraudulent access. Abandoned servers provide an internal beachhead for attacks.” To mitigate this, Edgerton suggests that organizations schedule reports to routinely identify orphaned user accounts and servers.
For more information, check out Edgerton’s full post here.
- 17 Cybersecurity Podcasts You Should Listen to in 2020 - January 3, 2019
- What’s Changed: Gartner 2017 Magic Quadrant for Identity Governance and Administration (IGA) - January 28, 2018
- Crossmatch Integrates Keyboard Capture to Identity Management Software - November 27, 2017