Ntrepid’s Richard Helms explains the reason why browser protection, not identity protection, is the best solution for handling the aftermath of the OPM breach.
OPM Breach – What Went Wrong?
If OPM’s management had done just about anything, they could have had better control over that breach, said Helms to ITWatchIT. The truth is, they made no attempt – nothing.
As I understand it, they did not even do any of the patches that people were giving away for free, all they had to do was implement the patching programs. They also didn’t have two-factor authentication. Fundamentally, if you could give less than an F grade, their IT department deserves a G grade.
Repeat IG reports had told how they were failing, and those reports – which were redacted in some ways – showed how they were basically giving the Chinese a roadmap to come after them. I’m sure the Chinese were impressed with the fact that we gave them the attack plan that would be effective for getting to the OPM data. The fact that the data has not been used till date suggests that it is tightly controlled by a nation state. Also, OPM knew that they had a breach since 2012, and they didn’t tell the victims.
The congressional report is an excellent review, but the area that’s not covered is future mitigations, beyond fixing OPM’s basic IT cybersecurity stature. Also, the area of accountability needs to be fixed. I’m not sure anyone was held accountable, even though the director of OPM and some others resigned, nobody has been fired. Imagine if this was a private sector company, there would be fines.
There is a much deeper, systemic problem in that organization that needs to be addressed. The report makes it clear that it was China that did it. The Administration made a case to the Chinese regarding the severity of the breach, and the Chinese indicated in some way that we won’t see ramifications from that breach, according to the Washington Post.
This was neither credit card information theft, nor point-of-sale theft since the data wasn’t stolen to steal money from these people. The data was stolen to understand our national security program through the people. The next logical step for the adversary in this case would be to collect additional information through the people that have been identified.
The identity protection technology that OPM has purchased, at the insistence of some government organizations, does nothing to protect government from future attacks through this same breach.
The breach was about the personal data of people working in national security programs, which will be followed up by additional attacks on those people. Those attacks will take place – more than likely, through their web browsers. This is because 90 percent of undetected malware comes through the internet browser that people use. There’s no defense against that and the government should think about promoting a browser defense for those people who are in the national security. It doesn’t necessarily have to be everybody who was subject to the breach—all 21 million-plus people—mainly the people in federal law enforcement, border national security community, and the defense community.
Those people should be protected and identity protection is not going to work at all in this case. Some way to virtualize the browser or one of the other several technologies is probably the best way to go.
Those With Compromised Information are Targets
If you have someone at the State Department who is working on US policies in the Asian Pacific, the Chinese would be interested in knowing more about what they are saying to their friends and colleagues, on their own computers. Hillary Clinton is not the only one that used her own server since everybody has another private email account. The objective is to get in there and learn some more about what is going on.
People make mistakes, and they say things to colleagues offline that could help someone put pieces together about military deployments and other sensitive things, from a policy context.
The degree to which the Chinese government retains control of the information from the OPM breach suggests that it probably won’t be resold. If it loses control at any point, and the data is resold, then there might be identity theft issues, and financial theft issues.
It is assumed that the breaches have stopped, and a lot of those 21 million-plus people are retirees who are no longer engaged in government work anymore. Based on what we’re seeing, none of them have to go out and do anything extraordinary to protect themselves beyond what they are already doing, including checking their bank account and making sure they have two-factor authentication with their online activities.
The OPM data is highly marketable. The SF-86 Form is a fairly intrusive questionnaire. The polygraph, background investigation, medical information and all the other information in there is more than anyone knows about you, even your spouse. The average American doesn’t understand that because they’ve never written down all the data that’s in the SF-86. They didn’t have to apply for a job that required that kind of intrusiveness.
The people who fill out those forms are giving up a fair amount of privacy by letting the government evaluate them, in order to be a trusted employee. It involves more than your social security number, it involves information about your relatives, your finances, your criminal activity, mistakes and so on. Losing a credit card is nothing compared to this.
Mitigating Future Attacks
The congressional report outlines a lot of steps that should be done, including getting OPM up to national standards for cybersecurity. If you follow the NIST standards, you will be as secure as you can be, although there are no guarantees. If you can’t meet the government standards, then you shouldn’t be operating.
They should also focus on extending the government perimeter around the employees in the national security arena, outside of the workplace, such as when they are home. The perimeter used to be at their property line, but that won’t work in an era when people have cell phones and social media. We’ve left the government perimeter at the property line, but the government people are more vulnerable because they are more knowable due to social media and internet connectivity. It’s in their interest to extend their security perimeter as far as possible.
That can be achieved more cheaply than paying for the identity protection, which is not effective at all. We could easily provide them with a secure, virtualized browser for their home computer, for a fraction of the cost of what they are paying for identity protection.
Profile
Speaker: Richard Helms
Richard ‘Hollis’ Helms is the founder and Chief Executive of Ntrepid Corporation. After a nearly 30-year career in the Central Intelligence Agency, he founded Abraxas Corporation. It was sold 10 years later but retained 145 engineers and product development lines going back years. Ntrepid Corporation was then formed to solve extremely difficult product challenges. Those product lines are now known as ION, Nfusion, Passages, Timestream, Tartan, Virtus and ELUSIV… and MetalGear. Just kidding. We have never had a MetalGear product, and suggestions that we have are the result of a misreading and an inaccurate description of contracted work.
About Ntrepid
Ntrepid provides endpoint security & information management solutions that empower online research & data collection, eliminating threats to online workforces. Latest Product: Passages is a secure virtual browser that protects the enterprise from all web-based attacks, including web-delivered malware, watering hole attacks, spear phishing, passive information leakage, and drive-by downloads. Passages leverages Ntrepid’s platform and 15-year history of protecting the national security community from the world’s most sophisticated opponents, allowing organizations to implement security at the speed of business. From corporate identity management to secure browsing, Ntrepid products empower enterprise online research and data collection, eliminating threats to an online workforce. More information can be found at: www.NtrepidCorp.com.