The fallout continues on the OPM data breach

It seems the Chinese plundered the United States Office of Personnel Management (OPM) at will for at least a year.  Here is my original blog post about the OPM data breach nightmare.

If you’re a CEO of a major organization and you still think Internet security is abstract and doesn’t apply to you, I hope you have a nice retirement package set aside.  Don’t believe me?  Just watch the ongoing revelations about the OPM data breach.  The news just keeps getting worse.  The latest tally is 22 million people.  It’s the biggest and maybe the worst data breach in US Government history and it cost Director Katherine Archuleta her job.  I imagine a few more heads will roll over the next few days.  Here is a link to a NY Times article with details.

Want to see one of the best examples of government CYA in action?  Take a look at this press release from a company named Cytech.  PDF here in case the original link goes bad.  Apparently, a Cytech April 2015 demo uncovered a set of unknown processes on some Windows systems.  I’m guessing they were Windows systems – none of the reports overtly mention it.  Cytech worked with OPM to chase down those processes and the rest is history.

But wait – a sales demo uncovering the worst data breach in US Government history makes high government officials look bad.  Spokespeople to the rescue.  Here is a Fortune article with the response from OPM spokesman Sam Schumach.  PDF here in case the link goes bad.  I’ll quote Sam’s first sentence:

“The cyber intrusion announced last week affecting personnel records for approximately 4 million current and former federal employees was discovered through enhanced monitoring and detection systems that OPM implemented as part of an aggressive effort in recent months to strengthen our cybersecurity capabilities. …”

You can read the rest in the Fortune article.

Pause for a minute.  Beyond CYA posturing, what are the real-world consequences of this debacle?  Well, for one thing, personal information for everyone who applied for a US Government security clearance since 2000 is now compromised.  If you applied for a US Government clearance and you contacted somebody in a hostile country who helped the United States, it’s likely the Chinese learned about it back in 2014.  Do I need to connect any more dots?  Still think IT security is abstract and doesn’t apply to you?  Real, flesh and blood people who wanted to help the good guys may have died because the United States Federal Government only paid lip service to taking your security seriously.

Now back to CYA posturing.

I’m not sure I would want to be in Cytech CEO Ben Cotton’s shoes right now.   Imagine this scenario.  A large government agency invites your company to do a sales demo for your flagship product.  You spend days, weeks, maybe months and a fortune in investor private sector money preparing.  You put it all at risk because that’s what we do in the private sector.

And it seems to pay off when you unexpectedly uncover a huge mess.  And then you help remediate the problem because it’s the right thing to do.   Word leaks out, speculation runs rampant, and you feel forced to do a press release in response because everyone is naming your company anyway.  But now the people running the agency that invited you in look bad and they put out their own statements contradicting you.  What are the odds you’ll earn a sale from your hard work?  No good deed goes unpunished.

And there’s more.

After the news about the breach came out, OPM offered free credit monitoring for victims.  The questionable value of this free credit monitoring is well documented, and once the monitoring period ends, then what?  But forget about that – how did OPM notify victims?  By sending an email with a “click here” link.  To millions of Federal employees.

Why is that significant?  Because that’s how phishing schemes operate.  “Dear customer.  We at your bank found an irregularity.  Please click here to make it all better.”  Bla bla bla.  Except the email didn’t come from your bank, it came from a con artist on the other side of the planet who wants to plunder any information in your computer.  It’s one of the oldest and most well known con-jobs on the Internet.  And people still fall for it.  See my blog post, “How to spot a phishy email,” for more.

So guess what?  Almost immediately after OPM sent its “click here” email, scammers and spammers duplicated it and sent identical emails with their own “click here” links pointing to their own shady websites.  Take a look at these articles, here and here.  Talk about rubbing salt in the wound.

Now take a look at this link.  It’s the National Institute of Standards’ cybersecurity framework.   That’s right.  The United States Federal Government literally wrote the book on cybersecurity.  And keeps it updated.  It’s a shame the leaders at the United States Federal Government HR office apparently didn’t read it.

Finally, if you’re mystified and curious how these breaches happen at the grass roots, and if you’re not, you should be, take a look at my new book, Bullseye Breach.  Here is a link.  It’s a story about how a fictional large Minneapolis retailer named Bullseye Stores loses 40 million credit card numbers to some Russian crooks.  I used fiction as a vehicle because the world already has enough how-to books that nobody reads.  So I used fiction and a compelling story to hopefully keep your attention.  Every CEO should read this book – it might save you from putting out a press release explaining how you take security seriously after a major breach.

(First published on my Infrasupport website on July 11, 2015.  I backdated here to match the original posting date.)

Here we go again – data breach at Trump Hotel properties

Here is yet another data breach headline, this time from the Donald himself, Trump Hotel properties, published yesterday (July 1, 2015) by Brian Krebs.  Here is the link to the article.

It seems the banks uncovered a trail of credit card fraud leading right back to Trump Hotel properties.  This one has apparently been going on since Feb. 2015.

We’re early in the cycle of this latest sensational data breach, but they all follow the same pattern.  Watch for it with this one.  Here’s how they unfold.

  1. Lax or dysfunctional management ignores all the warnings about potential IT security problems.  Those techies – all they want to do is spend money on tech toys.  We sell hammers or hotel rooms or clothes.  Or we’re a Government HR department.  Or we make movies.  We’re not a tech company.
  2. A sensational news story hits the wires.  Millions of credit card numbers stolen!  Personal information stolen by the Chinese!  Fortune 500 company brought to its knees!
  3. The CEO or other leader of the breached organization puts out a press release.  “We take our customers’ privacy seriously.”  The press release includes a generous offer of worthless free credit monitoring for potential victims for a year.
  4. PR teams gear up as leaders in the breached organization fill the airwaves with excuses and all the important steps they’re taking to mitigate this breach.  They use words like “sophisticated” and “criminal syndicate” or “nation state” to describe the attackers.
  5. Columnists and bloggers express outrage.  (That’s what I’m doing right now.)
  6. Lots of people share commentary about how awful this all is and the poor state of our security.  But nobody shares any specifics about conditions leading up to the breach, how the bad guys penetrated the victim organization, or the get-well steps.   (I saw one exception to this in a KrebsOnSecurity.com post about the Sally Beauty breach.)
  7. Embarrassed Boards of Directors and other VIPs outdo themselves with knee-jerk reactions as they pour a fortune into closing the barn door after the horses have already escaped.
  8. Sometimes, a major news magazine does an in-depth story about the personalities involved at the victim company a few months later.
  9. The story eventually fades away and the public is left to believe that breached companies are helpless victims of sophisticated criminal syndicates or nation-state sponsored terrorists.  There’s nothing anyone could have done about it.

Don’t believe this crap for even one second.  Every single sensational data breach we’ve read about was preventable.  Every single one.

Want to fix the problem instead of putting out CYA press releases?  Here’s what needs to happen – and it doesn’t cost a fortune.

First, a tactical step:  Improve the topology.  Put the most valuable systems behind an internal firewall with a white list and log access to it.  Notify the right people if the systems holding that critical data try to communicate outside the white list.

Second is vigilance.  When we peel back the onion layers on these breaches, we find too many people asleep at the switch.  Or nobody minding the store.  Pick your metaphor.  The Chinese run rampant through the US Office of Personnel Management network and nobody notices traffic flying to China?  What’s up with that?  The North Koreans run rampant through Sony Pictures and nobody notices?  Let’s call this what it is – carelessness from the people who should know better.

And that leads to the third step:  Openness.  This is counter-intuitive, but organizations should publish what they do for security.  This doesn’t mean give away passwords and encryption keys.  But publish their standards and methods.  In detail.  Present at conferences, do media interviews, and open up to community scrutiny.  This is a departure from traditional large organization operating procedure and I can already hear the screams of agony:  “If we tell the world how we do security, then everyone will know and it will be worthless!”

I answer that with a question: “Given recent sensational data breach headlines, how’s the current operating procedure working out?”  Right now, only the bad guys know the relevant details and they’re plundering us.  So level the playing field.  Open it up.  The surviving encryption methods are all open and well-known.  And hardened because they’ve passed a gauntlet of public scrutiny.  Business and government should take a lesson.

Do those three things and IT security will naturally gain the attention it needs at the top levels of business and government and appropriate investments will follow.

Finally – want to read a fiction novel with a realistic story about how a sensational data breach unfolds?  Check out my new book, Bullseye Breach.

(Originally posted on my Infrasupport website on July 2, 2015.  I backdated here to match the original posting.)