4 tips for fighting the growing wave of dotgov hacks
- By Orlando Scott-Cowley
- Jul 16, 2015
The U.S Office of Personnel Management has recently disclosed a cyber-security breach that could have resulted in the personal information of nearly 4 million U.S. government employees being exposed.
That initial estimate has been increased to 14 million people, making it reportedly one of the largest government data breaches in U.S. history. This is worrisome because OPM conducts a high percentage of the background checks for federal government security clearances.
If the attackers were able to gain access to the types of data submitted in the 127-page SF-86 security clearance forms, they could effectively map the majority of the U.S. government’s security-vetted staff as well as their immediate and extended families. Not to mention financial, health care and other highly personal details.
So far, Chinese threat actors have been attributed as the source of the attack, although no official statement has been made.
This isn’t the first time the U.S. government has suffered at the hands of hackers. Over the last two years, various government departments have been painfully exposed and under constant attack since former contractor Edward Snowden leaked classified NSA data through newspapers in the U.S., Germany and United Kingdom. OPM was first breached in March 2014, at about the same time the Government Printing Office and the Government Accountability Office were also compromised.
In November 2014, suspected Chinese hackers breached the U.S. Postal Service where more than 800,000 employees’ data was compromised. The State Department was penetrated by suspected Russian hackers in the same month, and China was again suspected of breaching four of the National Oceanic and Atmospheric Administration websites.
And as a final flourish, the same alleged Russian hackers who gained access to the State Department, also managed to compromise President Obama’s unclassified email at the White House in December 2014.
Why is this latest hack so important, aside from being another hack in a long list of dot gov attacks?
Cybersecurity is now a key part of the geopolitical landscape, strategy and tactics, and we should expect to see more dot gov data being compromised, more critical infrastructure being targeted, and most importantly for the rest of us: more collateral damage trickling down to the private sector.
No one in the West will be immune from the threats, risk and implications of such determined and successful attackers that have targeted the U.S. government. Whether the attribution is to Chinese, Russian or other threat actors, state-sponsored or not, the down the line effects of these hacks are important and we should take notice.
It’s clear our existing defenses are not up to the job of protecting us against such advanced attacks. Even those organizations that have government-sized IT budgets can’t keep the threat actors out. We now know email played a central role in many of the attacks mentioned above.
Now is the time to review your existing defenses for your own critical infrastructure and ask your IT teams if it’s up to the job. Spear-phishing attacks are designed to circumvent classic anti-spam and virus gateways, so protecting against those innocent, but malware-laden, links in email should be your first priority.
The impact and scale of the collateral damage is significant. If you have data or IP that hackers could find valuable or monetize, you’re also a target. The data stolen from all of these government agencies could be used as a component or intelligence that aides the infiltration of commercial companies worldwide who retain ‘interesting data.’
So what should you do? Be serious about your data: protect it, and never think to yourself, “It won’t happen to me.” Here are four tips that will help defend your business from the latest breed of dot gov type attacks:
1. Identify who is responsible for managing your data Is it the CIO or CISO? Maybe you have a chief data officer? Either way, if you can’t identify this person, there is a major risk that needs to be addressed out of the gate. The central point of decision-making for data-related issues needs to be appointed and identified.
2. Enhance your ability to protect your data. If someone started the process of stealing your intellectual property, databases or archives from your network—would you even notice or be alerted? If not, why? There are plenty of ways to lock down the bulk access and collection of data. It’s important that you consider how you can encrypt your data. Sony Pictures Entertainment would be suffering a lot less now if they’d thought about ways to protect their data at rest. Also look at ways of making sure attackers can’t exploit your users in the first place. Add protection for URLS in emails and attachments, and make sure attachments are clean too, either by safely transcribing them into a benign format or running them through a security sandbox.
3. Have a plan. When something does go wrong, what happens? Do you have a well-rehearsed breach mitigation plan? Do you know if and how you’ll notify your staff, clients and suppliers of the breach? Do you know your legal obligations? We often talk about the risk of reputational damage as the result of a data breach—recent studies show that your organization’s reputation will be impacted far more if you fail to react to the breach correctly, than the breach itself.
4. Step-up your security awareness game. Make sure your employees understand the latest threats, and how hackers will try to use clever social engineering to gain their trust and ultimately exploit them. This is especially important if you have ex-government employees who have security clearances: if their personal data was exposed in the OPM hack, the attackers will already know a lot more about those individuals, and are likely to try and use that information against them.
So the OPM hack is one that we should take note of; it’s another indication of how valuable Western targets can be. As businesses, we should always view these events as a learning experience. And following the steps outlined above will help you understand how much risk your business could face.
We know the old rules and defenses are no longer working, so it’s up to all of us who work to protect information systems and data to find the new rules. Stay safe out there.
Orlando Scott-Cowle is a cyber-security specialist at Mimecast. His background is in high-level technical consulting, including security and risk consulting, penetration testing and other areas. Orlando speaks at events in the UK and US on a variety of security, risk and compliance topics and on the emergence of cloud and SaaS technologies.