OPM Breach: Training and Skills Are Key to Safeguarding Information

In a recently filed class-action lawsuit filed against OPM, the plaintiffs cited a November 2014 Office of the Inspector General (OIG) report stating that the “drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.” The OIG report also cited the cybersecurity deficiencies that “could potentially have national security implications.” These included:

  • The OPM’s decentralized governance structure
  • A lack of acceptable risk management policies and procedures
  • Failure to maintain a mature vulnerability scanning program to find and track the status of security weaknesses in software systems
  • A high rate of false security alerts that could delay the identification of and response to actual security breaches
  • Failure to use tools to monitor the progress of corrective efforts for cyber security weaknesses
  • Remote access sessions which did not terminate or lock out after the period of inactivity required by federal law
  • Failure to continuously monitor the security controls of all software systems
  • Failure to maintain and test contingency plans for every information system as required under the OPM’s policies
  • Failure to use Personal Identification Verification (PIV) cards for multi-factor authentication in all major software systems

According to the OIG report, evidence points to credentials stolen from a private contractor as the source of the breach. It notes that the third-party contractor had suffered a breach in August 2014, employee credentials were compromised, and OPM failed to take proactive measures to address the possible access privileges provided to employees of that contractor. This breach provides a case study for senior executives in large organizations and cybersecurity professionals of the need to improve understanding and implementation of prudent cybersecurity risk management and governance best practices and to ensure a strong and skilled cyber workforce.

While implementing technical solutions may have played a significant role in potentially preventing or lowering the risk associated with this kind of incident, it likely would not have saved the day against a well-funded and determined nation-state adversary. Technology is only effective if risk management and governance policies are developed and implemented and cybersecurity professionals at all levels of the organization are trained and have the requisite skills to perform the tasks related to their functional roles in cybersecurity.

In today’s world of advanced threats, it is critical that staff at all levels obtain training and certifications that build the most up-to-date cyber defense capabilities. It is a clear indication that training and education, through programs such as ISACA’s Cybersecurity Nexus (CSX), need to be at the forefront. Enterprises need hands-on skills to manage a mature vulnerability scanning program, more quickly recognize false-positive security alerts, properly monitor progress related to corrective actions related to cybersecurity weaknesses, implement effective remote access policies, employ effective continuous monitoring of security controls, develop, maintain, and test information systems contingency plans, and finally, ensure multi-factor authentication is implemented on critical information systems.

Robin “Montana” Williams
Sr. Manager, Cybersecurity Practices
ISACA/Cybersecurity Nexus (CSX)

[ISACA]

Important Considerations for Cloud Security, Whether Public or Private

Security is one of the most critical considerations for cloud computing, regardless of whether the deployment is public or private. We recently teamed up with the Cloud Security Alliance (CSA) to offer “Security Considerations for Private vs. Public Clouds,” a whitepaper covering important topics for securing cloud infrastructure, including:

  • Contracts and service level agreements
  • Roles and responsibilities
  • Compliance and auditing
  • Physical and virtual attack surface considerations
  • Operational challenges, including data migration, logging, monitoring, incident management and recovery
  • Change management

Download the whitepaper here. Learn more about the Palo Alto Networks Security Platform, including solutions for VMware, Amazon Web Services, Citrix and KVM environments, on ourpublic cloud and private cloud resources pages.

[Palo Alto Networks Blog]

Taking Needed Steps to Protect Network Connected Devices

The U.S. Food & Drug Administration (FDA) is responsible for the oversight of food and medical products sold in the United States. As such, when it finds previously unknown safety concerns, the FDA takes measures to let the public know. Perusing the list of safety communications issued by the FDA, one typically sees product recalls on a range of issues, such as improper labelling, lack of FDA approvals, and manufacturing defects.

On May 13, 2015, the FDA issued a safety communication of a different sort. Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communicationidentified a medical device that is responsible for the delivery of anesthetic or therapeutic drugs as being vulnerable to reprogramming by an unauthorized third party. There are a number of attack vectors present, as outlined in ISCA-15-125-01B, with the most serious error being an open telnet port on TCP/23. As if telnet itself wasn’t already inherently insecure (which it is), the issue with this particular device is that it provides unauthenticated users with root privileges. Other flags include exploitable vulnerabilities, unprotected keys, cleartext credential storage, and hardcoded accounts.

The Internet of Things introduces a number of challenges for product manufacturers. Many are being pressured to develop network interfaces to their products; doing so greatly simplifies connectivity by doing away with the slew of custom connectors and protocols that litter the market. But these products are not necessarily being developed with security in mind. Many are embedding network stacks into the firmware of their products with poorly implemented security features and packages with unpatched vulnerabilities.

The users of such products face an entirely different challenge. Most end users are not in a position to closely scrutinize how exploitable every device on their network is. Even after running a port scan to look for the open ports, most security teams aren’t staffed to test for vulnerabilities on every device that shows up on their network.

If one cannot trust the security of the device (and by default, one never should), steps must be taken to minimize exposure to risk through other means. That’s why network segmentation is a critical measure to make sure that unnecessary levels of access to applications and networks are not permitted.

At the most basic level, network segmentation can greatly reduce the attack surface area. As a general rule, separating the medical device network from the LAN is a forgone conclusion, but one that many organizations may overlook. That’s because traditional network segmentation with port-based firewalls is often messy work. Setting up the VLANs is the easy part, but the ineffective port-based policy is not capable of scrutinizing what’s happening in application traffic. Modifying the policy every time there’s a change in the segmentation is a nightmare, and ultimately drives many organizations back to a flat network.

If you think about it, network segmentation itself is not all that useful if it’s not doing a good job controlling traffic that passes from one segment to another. That’s what makes the Palo Alto Networks Next-Generation Firewall particularly well suited for this purpose, for it uses applications tied to users and groups to define policy of the traffic passing from one network segment to another. In addition, the use of threat prevention to stop exploits and known/unknown malware establishes protection to stop malicious traffic.

Network segmentation is but one part of a strategy to deal with the Internet of Things using the Palo Alto Networks Security Platform. Through the adoption of additional layers of security, including endpoint protection and the use of global threat intelligence, your security team can build a network that is capable of adopting network connected devices by leveraging prevention measures to reduce risk. Learn more about the platform here.

[Palo Alto Networks Blog]

English
Exit mobile version