Is there a solution to this problem? Explain your answer.

books/9780134803104/13411/4/00.00:7.52 CASE STUDY U.S. Office of Personnel Management Data Breach: No Routine Hack The U.S. office of Personnel Management (OPM) is conducted, may have been extracted. Government offi- responsible for recruiting and retaining a world-class cials say that the exposure of security clearance infor- workforce to serve the American people and is also mation could pose a problem for years. responsible for background investigations on pro- The Central Intelligence Agency (CIA) does not use spective employees and security clearances. In June the OPM system, and its records were protected during 2015, the OPM announced that it had been the target the breach. However, intelligence and congressional of a data breach targeting the records of as many as officials worried that the hackers or Chinese intelli- 4 million people. In the following months, the num- gence operatives could still use the detailed OPM infor- ber of stolen records was upped to 21.5 million. This mation they did obtain to identify U.S. spies by process was no routine hack. It is the greatest theft of sensi- of elimination. If they combined the stolen data with tive personnel data in history. other information gathered over time, they could use Information targeted in the breach included person- big data analytics to identify operatives. ally identifiable information such as social security The potential exposure of U.S. intelligence officers numbers as well as names, dates and places of birth, could prevent many of them from ever being posted and addresses. Also stolen was detailed security abroad again. Adm. Michael S. Rogers, director of the clearance related background information. This National Security Agency, suggested that the person- included records of people who had undergone back- nel data could also be used to develop "spear phish- ground checks but who were not necessarily current or ing" attacks on government officials. In such attacks, former government employees. victims are duped into clicking on what appear to be The data breach is believed to have begun in March emails from people they know, allowing malware into 2014 and perhaps earlier, but it was not noticed by the their computer networks. OPM until April 2015, and it is unclear how it was actu- The stolen data also included 5.6 million sets of ally discovered. The intrusion occurred before OPM fingerprints. According to biometrics expert Ramesh had finished implementing new security procedures Kesanupalli, this could compromise secret agents that restricted remote access for network administra- because they could be identified by their fingerprints 6 AI 10 Fa BI E 10:40 PM 12/13/2018 m/books/9780134003104/cf/341/400.00-19.6 VEM UILE APEU, ILI TUS LIICICLI TRUW I was actu- HII NICI Lata HILTLICU JUHUHE SCEUL ally discovered. The intrusion occurred before OPM fingerprints. According to biometrics expert Ramesh had finished implementing new security procedures Kesanupalli, this could compromise secret agents that restricted remote access for network administra- because they could be identified by their fingerprints tors and reviewed all Internet connections to the out- even if their names had been changed. side world. The OPM had been warned multiple times of secu- U.S. government officials suspect that the breach was rity vulnerabilities and failings. A March 2015 OPM the work of Chinese hackers, although there is no proof Office of the Inspector General semiannual report to that it was actually sponsored by the Chinese govern- Congress mentioned persistent deficiencies in OPM's ment. Chinese officials have denied involvement. The information system security program, including incom- attackers had stolen user credentials from contrac- plete security authorization packages, weaknesses in tor KeyPoint Government Solutions to access OPM testing information security controls, and inaccurate networks, most likely through social engineering. The plans of action and milestones. hackers then planted malware, which installed itself Security experts have stated that the biggest prob- > within OPM's network and established a backdoor lem with the breach was not OPM's failure to prevent for plundering data. From there, attackers escalated remote break-ins but the absence of mechanisms to their privileges to gain access to a wide range of OPM detect outside intrusion and inadequate encryption of systems. sensitive data. Assistant Secretary for Cybersecurity The hackers' biggest prize was probably more than and Communications Andy Ozment pointed out that 20 years of background check data on the highly sensi- if someone has the credentials of a user on the net- tive 127-page Standard Forms SF-86 Questionnaire for work, then he or she can access data even if they are National Security Positions. SF-86 forms contain infor- encrypted, so encryption in this instance would not mation about family members, college roommates, have protected the OPM data. foreign contacts, and psychological information. OPM OPM was saddled with outdated technology and information related to the background investigations weak management. A DHS Federal Information Secu- of current, former, and prospective federal government rity Management Act (FISMA) Audit for fiscal year employees, including U.S. military personnel, and 2014 and audit of the Office of the Inspector General those for whom a federal background investigation was found serious flaws in OPM's network and the way it 308 At 0 1 A . 10:40 PM 12/1/2018 X 3 Review Submision History Ass X + /9780134503104/df/34244/400.00:6.50 was managed. OPM did not maintain an inventory of Director for Barak Obama's 2012 presidential reelec- systems and baseline configurations, with Il servers tion campaign. CIO Donna Seymour, who was sup- operating without valid authorization. The auditors posed to advise Archuleta on how to manage risk in could not independently verify OPM's monthly auto- IT systems, was a career government employee for mated vulnerability scanning program for all servers. more than 34 years. She had some IT and management There was no senior information security specialist or roles at the Department of Defense and other agencies chief information security officer (CISO) responsible and has a degree in computer science but no specific for network security. OPM lacked an effective multifac- expertise in cybersecurity. It is also difficult to bring in tor authentication strategy and had poor management experienced managers from the business world because of user rights, inadequate monitoring of multiple sys- federal government pay scales are so low. A chief infor- tems, many unpatched computers, and a decentralized mation officer (CIO) or chief information security offi- and ineffective cybersecurity function. Sensitive data cer (CISO) in the federal government would probably were unencrypted and stored in old database systems be paid about $168,000 annually, whereas an equivalent that were vulnerable. What's more, OPM used contrac- position in the private sector would probably have tors in China to manage some of its databases. These annual compensation of $400,000 deficiencies had been pointed out to OPM over and Since the OPM break-in, there has been a massive over again since a FISMA audit in 2007. OPM had the effort to rectify years of poor IT management. OPM vulnerabilities, no security-oriented leadership, and a is moving toward more centralized management of skillful and motivated adversary. security. Information system security officers (ISSOs) Some security experts see OPM's vulnerabilities as a report directly to a CISO. These positions are filled by sign of the times, a reflection of large volumes of data, individuals with professional security backgrounds. contemporary network complexity, weak organiza- OPM hired a cybersecurity advisor, Clifton Triplett, tional and cultural practices, and a legacy of outdated and increased its IT modernization budget from and poorly written software. As Thomas Bayer, CIO at $31 million to $87 million, with another S21 million Standard & Poor's Ratings, explained, until you have scheduled for 2016 a serious data breach like the OPM hack, everyone OPM told current and former federal employees invests in other things. It's only when a massive data they could have free credit monitoring for 18 months breach occurs that organizations focus on their infra- to make sure their identities had not been stolen, but it structure. The expertise and technology for halting or has been slapped with numerous lawsuits from victims. 6 At 0 10:40 PM 12/13/2018 X Review Submision History Ass X ook/9780134803104/13420.00:50.4 breach occurs that organizations focus on their infra- to make sure their identities had not been stolen, but it structure. The expertise and technology for halting or has been slapped with numerous lawsuits from victims. slowing down cyberattacks such as that on OPM are Seymour faces a lawsuit for her role in failing to protect not a mystery, and many companies and some govern- millions of personal employee data files, and Archuleta ment organizations are effectively defending themselves had to resign. against most of the risks they face. The FBI and Department of Homeland Security OPM lacked leadership and accountability. The released a "cyber alert" memo describing lessons prevailing mentality was for everyone to sit and bide learned from the OPM hack. The memo lists generally their time. The CEO, CIO, and CISO in a private orga- recommended security practices for OPM to adopt, nization would be held accountable by the board of including encrypting data, activating a personal fire- directors. wall at agency workstations, monitoring users' online OPM is a top-heavy organization, with a large man- habits, and blocking potentially malicious sites. The agement layer of senior advisers to the director. For Obama administration ordered a 30-day Cybersecurity example, CIO Donna Seymour has 28 staff members Sprint across all agencies to try to fix the big problems. under her and four direct reporting organizations, none Without a strong foundation, this investment could of which is security-focused. There is no listed CISO prove futile in the long run. OPM and the federal gov- function. OPM's director has 62 senior leaders in four ernment as a whole need to invest more in managers groups. Many OPM managers are politically appointed with IT security expertise and give those individuals and lack the expertise to make informed decisions real authority to act. about cybersecurity. It's only when managers in an What about other federal agencies storing sensitive organization understand and appreciate information information? The news is not good. An audit issued security risks that they will authorize their IT depart- before the Chinese attacks pointed to lax security at ment to develop an effective set of controls. the Internal Revenue Service, the Nuclear Regulatory Most directors in the U.S. government do not have Commission, the Energy Department, the Securities people in their organizations with the expertise and and Exchange Commission, and even the Department power to make changes, and many staff members are of Homeland Security, which is responsible for secur- just not right for the job. OPM director Katherine ing the nation's critical networks and infrastructure. Archuleta had formerly been the National Political Computer security failure remains across agencies even At e C I 10:40 PM 12/13/2018 Histon X 780134803104/cf/3434/4/400.00:0.00 310 Part II: Information Technology Infrastructure though the U.S. government has spent at least $65 bil- lion on security since 2006. Sources: Sean Lyngaas, "What DHS and the FBI learned from the OPM Breach." FCW, January 11, 2016; Brendan L. Koerner, "Inside the Cyberat tack that Shocked the U.S. Government." Wired. October 23, 2016: Michael Adams, "Why the OPM Hack Is Worse Than You Imagined." Lanfare. March 11, 2016: Adam Rice, "Warnings, Neglect and a Massive OPM Breach." Search Security.com, accessed June 15, 2016, Steve Rosenbush, "The Morning Download: Outdated Tech Infrastructure Led to Massive OPM Breach." Wall St Journal, July 10, 2015; Mark Marrette and David E. Sanger, "U.S. Fears Data Stolen by Chinese Hacker Could Identify Spies," New York Times. July 24, 2015 Damian Paletta and Danny Yadron. "OPM Ratches Up Estimate of Hack's Scope" Wall Street Journal, July 9, 2015, and David E. Sanger, Nicole Perlroth, and Michael D. Shear, "Attack Gave Chinese Hackers Privileged Access to U.S. Systems, New York Times, June 20, 2015 CASE STUDY QUESTIONS 8-13 List and describe the security and control weaknesses at OPM that are discussed in this case. 8-14 What people, organization, and technology factors contributed to these problems? How much was management responsible? 8-15 What was the impact of the OPM hack? 8-16 Is there a solution to this problem? Explain your answer. MyLab MIS Go to the Assignments section of MyLab MIS to complete these writing exercises. 8-17 Describe three spoofing tactics employed in identity theft by using information systems. At IT 1 w 10:41 PM 12/13/2018