In April, federal authorities detected an ongoing remote attack targeting the United States’ Office of Personnel Management (OPM) computer systems. This situation may have gone on for months, possibly even longer, but the White House only made the discovery public last Friday. While the attack was eventually uncovered using the Department of Homeland Security’s (DHS) Einstein—the multibillion-dollar intrusion detection and prevention system that stands guard over much of the federal government’s Internet traffic—it managed to evade this detection entirely until another OPM breach spurred deeper examination.
June 9, 2015 (c) Joe Bellott, CISO
In April, federal authorities detected an ongoing remote attack targeting the United States’ Office of Personnel Management (OPM) computer systems. This situation may have gone on for months, possibly even longer, but the White House only made the discovery public last Friday. While the attack was eventually uncovered using the Department of Homeland Security’s (DHS) Einstein—the multibillion-dollar intrusion detection and prevention system that stands guard over much of the federal government’s Internet traffic—it managed to evade this detection entirely until another OPM breach spurred deeper examination.
While anonymous administration officials have blamed China for the attack (and many in the security community believe that the attack bears the hallmark of Chinese state-sponsored espionage), no direct evidence has been offered. The FBI blamed a previous breach at an OPM contractor on the Chinese, and security firm iSight Partners told The Washington Post that this latest attack was linked to the same group that breached health insurer Anthem.
OPM is the human resources department for the civilian agencies of the federal government, so this attack exposed records for over four million current and former government employees at places like the Department of Defense. The breach, which CNN dubbed “the biggest government hack ever,” included background and security clearance investigations on employees’ families, neighbors, and close associates stored in the Electronic Questionnaires for Investigations Processing (e-QIP) system and other databases. The attack also affected a data center operated by Department of the Interior used by OPM and other agencies as a shared service—the result of data center consolidation ordered by the Obama administration. As a result, even more agencies may have been directly affected.
The OPM hack is just the latest in a series of federal network intrusions and data breaches, including recent incidents at the Internal Revenue Service, the State Department, and even the White House. These attacks have occurred despite the $4.5 billion National Cybersecurity and Protection System (NCPS) program and its centerpiece capability, Einstein. Falling under the Department of Homeland Security’s watch, that system sits astride the government’s trusted Internet gateways. Einstein was originally based on deep packet inspection technology first deployed over a decade ago, and the system’s latest $218 million upgrade was supposed to make it capable of more active attack prevention. But the traffic flow analysis and signature detection capabilities of Einstein, drawn from both DHS traffic analysis and data shared by the National Security Agency, appears to be incapable of catching the sort of tactics that have become the modern baseline for state-sponsored network espionage and criminal attacks. Once such attacks are executed, they tend to look like normal network traffic.
Put simply, as new capabilities for Einstein are being rolled out, they’re not keeping pace with the types of threats now facing federal agencies. And with the data from OPM and other breaches, foreign intelligence services have a goldmine of information about federal employees at every level of the government. It’s a worrisome cache that could easily be leveraged for additional, highly-targeted cyber-attacks and other espionage. In a nation with a growing reputation for state of the art surveillance initiatives and cyber warfare techniques, how did we become the ones playing catch up?
Read the rest of this article at: https://www.linkedin.com/pulse/biggest-government-hack-ever-aegis-could-have-joe-bellott?trk=hb_ntf_MEGAPHONE_ARTICLE_POST
InCyber Comments and Suggestions
The author of this article, Mr. Joe Bellott is a CISO and Forensic Expert on Cyber Security. He conducted research an this breach that exposed 4 million former and current employees of a number of Federal Agencies.
In our opinion, we have not heard the “last of the story”. The people (hackers) who have stolen these records can come back (most likely) and and utilize the information to defraud and cause severe damage to millions of people.
As Mr. Bellott indicated, this breach could have been avoided. The InCyber PAS Pro-Active and Predicting System has been proven 100% effective against Insider Threats. For additional information write to: info@incyber.co. We are now offering a Free Insider Penetration Test for up to 500 Employees using your own historical data.