Since its massive data breach in 2015, the Office of Personnel Management has failed to follow through on basic security recommendations, including changing passwords.
According to a report issued this week by the U.S. Government Accountability Office (GAO), the Office of Personnel Management has only implemented about 64% of the recommendations made following the OPM data breach over three years ago. The GAO said that the OPM failed to produce sufficient evidence that the remaining third of its recommendations were implemented. Some of the incomplete recommendations are considered basic security best practices — especially following a data breach.
The GAO said in its report that, following the OPM data breach, the agency had failed to fully demonstrate that it had reset all passwords, “install critical patches in a timely manner, periodically evaluate accounts to ensure privileged access is warranted, and assess controls on selected systems as defined in its continuous monitoring plan.”
The report also noted that OPM failed to implement other recommendations such as “avoiding the use of the same administrator accounts by multiple persons, implementing procedures governing the use of special privileges on a key computer, encrypting passwords while stored or in-transit across the network, and installing the latest versions of operating system software on network devices supporting a high-impact system.”
The GAO said that the OPM had implemented 51 out of 80 recommendations that they provided across four different reports that followed the OPM data breach.
The 2015 OPM data breach compromised around 22 million personal records — including 5.6 million fingerprints — and affected 4.2 million current and former employees of the U.S. federal government; it’s considered one of the worst breaches of the U.S. government in history. The information stolen included Social Security numbers, address histories, employment and education histories, health information, financial histories and criminal information.
The OPM data breach is believed to be the work of Chinese national Yu Pingan, who was arrested in Los Angeles in August 2017. Pingan allegedly used the Sakula malware to penetrate the network at the OPM, likely in two waves of attacks — the first in December 2014 and the second in April 2015.
The GAO report said that the “OPM has made progress in implementing our recommendations for improving its security posture” since the data breach was disclosed in 2015, “but further actions are needed.”
In other news:
- A team of nine researchers has uncovered seven new attacks that use the Meltdown and Spectre vulnerabilities. Some of the attacks — all transient execution attacks — have mitigations already in place and some do not. There are two new Meltdown attack variants and five new Spectre “mistraining strategies” and all of them affect Intel, AMD and ARM processor vendors. The research team consists researchers from Graz University of Technology, imec-DistriNet, KU Leuven and College of William and Mary — some of whom were part of the original research team that uncovered the Meltdown and Spectre vulnerabilities. In their paper, the research team noted that the industry has been focusing on defending only one attack surface related to Meltdown and Spectre, and that’s not the right approach. “This is highly problematic as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses,” they said. Through their research, the team said, “We can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.”
- In Microsoft’s November 2018 Patch Tuesday, a new Windows zero-day vulnerability was addressed after it was discovered by Kaspersky Lab on Oct. 17, 2018. The vulnerability, CVE-2018-8589, was exploited by an APT group with its victims located in the Middle East. The exploit only targeted the 32-bit version of Windows 7 and it was executed by the first stage of a malware installer that was being used to gain additional necessary privileges for persistence on a victim’s system. While analysts do not know how the malware was delivered, Kaspersky reported that it had only been used in a limited number of attacks. Kaspersky has not said who is behind these attacks but mentioned it was being used by at least one APT group. This is the second zero-day vulnerability found this year in the 32-bit version of Windows 7 with the first one — CVE-2018-8453 — discovered by Kaspersky in August and patched by Microsoft in its October updates. Just like the second vulnerability, the first one also targeted users in the Middle East, but there is no clear connection between the two attacks.
- On Tuesday, Nov. 13, the House passed a bill establishing a new cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA). The Cybersecurity and Infrastructure Security Agency Act of 2017 , now waiting for President Donald Trump’s signature, proposes to solidify the Department of Homeland Security (DHS) as the main federal agency to oversee civilian cybersecurity. This means CISA would hold the same stature as other departments within DHS, such as the Secret Service. Earlier this year, the bill stalled in the Senate and was passed, but changes were made to the House-passed version, causing it to go back to the lower chamber for approval. The CISA will further be responsible for securing federal networks and protecting critical infrastructure from cyber and physical threats. The bill also calls for a rebranding of the National Protection and Programs Directorate (NPPD) — which currently acts as the main cybersecurity unit — to transform it into the Cybersecurity and Infrastructure Protection Agency. A report from The Hill noted that NPPD’s responsibilities have expanded since its inception, but more recently since taking the lead to protect digital election infrastructure from sabotage after the 2016 election.