OPM Lost My Identity — This Time, It’s Personal

So I have been compromised.

My personal information was among the millions taken by our adversary from the Office of Personnel Management (OPM). Of course this is not the first time my personal information has fallen into the hands of the undesirable, but this time it’s different.

Previously, the focus has been on my credit card and banking information — three times in last two years. But OPM had my SF-86 (my security clearance questionnaire) on file. With that information, you can become me. It lists not just my PII, but also the PII of my friends and family members, my neighbors, my associations…everything.


OPM Breach

So how did this happen?

Hackers look at targets in terms of “attack surfaces” — areas they can exploit, nooks they can get into and expand into an enterprise. This used to be primarily done through phishing or malware, and while still in use, they are considered clumsy and inefficient strategies. The use of next generation firewalls and network intrusion detection technologies can prevent a lot of these attacks — even zero day events.

The modern day attack surface of choice is our identity. In other words, what account can I compromise to give me the most access to the most resources? This strategy is targeted, even elegant.

All users have some privilege — perhaps just to their own email account or an agency’s Facebook page — but some users have significantly more. These users might be Domain Administrators, Database Administrators or have Root privilege on Unix or Linux servers. Of course, there are also the admin accounts built into the operating system itself; Administrator (or Domain Administrator) for Windows or the Root account in the *nix world. This apparently was the attack surface of choice for the perpetrators at OPM.

APT vector

According to the DOI CIO, Sylvia Burns, “The breach did not happen because of a vulnerability at the DOI data center. It happened because of compromised credentials of a privileged user on the OPM side who then moved into DOI’s environment through a trusted connection.”

In essence, the hackers were able to compromise one or more highly privileged accounts within OPM and then moved laterally throughout the enterprise with a valid username and password and just pulled out the data they wanted. Heck, they could have even changed the passwords on those accounts and kept the legal users of those accounts from regaining control of their own systems!

The modern identity attack surface consists of too many accounts on too many systems, too many users with too much privilege and shared administrative accounts with shared passwords. For modern hackers, this is a treasure trove of opportunity.

So how do we shrink this attack surface and increase our security posture?

According to the National Institute of Standards and Technology (NIST), the key is to reduce the number of privileged accounts, enforce least privilege across the enterprise and employ multifactor authentication (MFA) where possible. They outline this in detail in SP 800-53. You can find the entirety of the document here.

The good news is that we are starting to learn our collective lessons regarding securing our enterprise data by securing our identities. The Department of Homeland Security (DHS) Continuous Diagnostics Mitigation (CDM) program contains tool functional areas to address Trust, Behavior, Credibility and Privilege. Civilian agencies will be to acquire best-of-breed technologies at little cost.

The OPM breach in particular has shone a spotlight on these vulnerabilities and the White House, via the Office of Management and Budget (OMB), with the support of DHS has initiated a “30 Day Sprint” during which agencies must procure tools and implement changes to their systems to increase security. Among the requirements:

Tighten policies and practices for privileged users.  To the greatest extent possible, agencies should: minimize the number of privileged users; limit functions that can be performed when using privileged accounts; limit the duration that privileged users can be logged in; limit the privileged functions that can be performed using remote access; and ensure that privileged user activities are logged and that such logs are reviewed regularly.” (OMB 30 Day Sprint Fact Sheet) 

Unified Identity Management

Centrify is the marketplace leader in Privileged Identity Management (PIM), Identity as a Service (IDaaS), and full support for MFA in accordance with HSPD-12. The Centrify Identity Platform has solutions for the data center, supporting more than 400 different operating systems, applications, cloud and mobile.

Unified Identity Services…Across Data Center, Cloud and Mobile.  Identify, Unify, Centrify.