SlideShare a Scribd company logo

Case Study U.S. Office of Personnel Management Data Breach No

Download as DOCX, PDF
M
MaximaSheffield592

The U.S. Office of Personnel Management (OPM) suffered a major data breach from 2014-2015 resulting in the theft of personal and security clearance data on 21.5 million people. Hackers were able to access OPM's networks by stealing credentials and installing malware. The breach exposed vulnerabilities that had been previously identified, including a lack of effective access controls, encryption, security training, and leadership prioritizing cybersecurity. It is believed the Chinese government was behind the attack due to officials' suspicions and the sensitivity of stolen security clearance data.

Education
1 of 14
Case Study U.S. Office of Personnel Management Data Breach: No Routine Hack The U.S. Office of Personnel Management (OPM) is responsible for recruiting and retaining a world-class workforce to serve the American people and is also responsible for background investigations on prospective employees and security clearances. In June 2015, the OPM announced that it had been the target of a data breach targeting the records of as many as 4 million people. In the following months, the number of stolen records was upped to 21.5 million. This was no routine hack. It is the greatest theft of sensitive personnel data in history. Information targeted in the breach included personally identifiable information such as social security numbers as well as names, dates and places of birth, and addresses. Also stolen was detailed security clearance–related background information. This included records of people who had undergone background checks but who were not necessarily current or former government employees. The data breach is believed to have begun in March 2014 and perhaps earlier, but it was not noticed by the OPM until April 2015, and it is unclear how it was actually discovered. The intrusion occurred before OPM
had finished implementing new security procedures that restricted remote access for network administrators and reviewed all Internet connections to the outside world. U.S. government officials suspect that the breach was the work of Chinese hackers, although there is no proof that it was actually sponsored by the Chinese government. Chinese officials have denied involvement. The attackers had stolen user credentials from contractor KeyPoint Government Solution s to access OPM networks, most likely through social engineering. The hackers then planted malware, which installed itself within OPM’s network and established a backdoor for plundering data. From there, attackers escalated their privileges to gain access to a wide range of OPM systems. The hackers’ biggest prize was probably more than 20 years of background check data on the highly sensitive 127-page Standard Forms SF-86 Questionnaire for
National Security Positions. SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. OPM information related to the background investigations of current, former, and prospective federal government employees, including U.S. military personnel, and those for whom a federal background investigation was conducted, may have been extracted. Government officials say that the exposure of security clearance information could pose a problem for years. The Central Intelligence Agency (CIA) does not use the OPM system, and its records were protected during the breach. However, intelligence and congressional officials worried that the hackers or Chinese intelligence operatives could still use the detailed OPM information they did obtain to identify U.S. spies by process of elimination. If they combined the stolen data with other information gathered over time, they could use big data analytics to identify operatives.
The potential exposure of U.S. intelligence officers could prevent many of them from ever being posted abroad again. Adm. Michael S. Rogers, director of the National Security Agency, suggested that the personnel data could also be used to develop “spear phishing” attacks on government officials. In such attacks, victims are duped into clicking on what appear to be emails from people they know, allowing malware into their computer networks. The stolen data also included 5.6 million sets of fingerprints. According to biometrics expert Ramesh Kesanupalli, this could compromise secret agents because they could be identified by their fingerprints even if their names had been changed. The OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office
of the Inspector General semiannual report to Congress mentioned persistent deficiencies in OPM’s information system security program, including incomplete security authorization packages, weaknesses in testing information security controls, and inaccurate plans of action and milestones. Security experts have stated that the biggest problem with the breach was not OPM’s failure to prevent remote break-ins but the absence of mechanisms to detect outside intrusion and inadequate encryption of sensitive data. Assistant Secretary for Cybersecurity and Communications Andy Ozment pointed out that if someone has the credentials of a user on the network, then he or she can access data even if they are encrypted, so encryption in this instance would not have protected the OPM data. OPM was saddled with outdated technology and weak management. A DHS Federal Information Security Management Act (FISMA) Audit for fiscal year 2014 and audit of the Office of the Inspector General found
serious flaws in OPM’s network and the way it was managed. OPM did not maintain an inventory of systems and baseline configurations, with 11 servers operating without valid authorization. The auditors could not independently verify OPM’s monthly automated vulnerability scanning program for all servers. There was no senior information security specialist or chief information security officer (CISO) responsible for network security. OPM lacked an effective multifactor authentication strategy and had poor management of user rights, inadequate monitoring of multiple systems, many unpatched computers, and a decentralized and ineffective cybersecurity function. Sensitive data were unencrypted and stored in old database systems that were vulnerable. What’s more, OPM used contractors in China to manage some of its databases. These deficiencies had been pointed out to OPM over and over again since a FISMA audit in 2007. OPM had the vulnerabilities, no security-oriented leadership, and a skillful and motivated adversary.
Some security experts see OPM’s vulnerabilities as a sign of the times, a reflection of large volumes of data, contemporary network complexity, weak organizational and cultural practices, and a legacy of outdated and poorly written software. As Thomas Bayer, CIO at Standard & Poor’s Ratings, explained, until you have a serious data breach like the OPM hack, everyone invests in other things. It’s only when a massive data breach occurs that organizations focus on their infrastructure. The expertise and technology for halting or slowing down cyberattacks such as that on OPM are not a mystery, and many companies and some government organizations are effectively defending themselves against most of the risks they face. OPM lacked leadership and accountability. The prevailing mentality was for everyone to sit and bide their time. The CEO, CIO, and CISO in a private organization would be held accountable by the board of directors.
OPM is a top-heavy organization, with a large management layer of senior advisers to the director. For example, CIO Donna Seymour has 28 staff members under her and four direct reporting organizations, none of which is security-focused. There is no listed CISO function. OPM’s director has 62 senior leaders in four groups. Many OPM managers are politically appointed and lack the expertise to make informed decisions about cybersecurity. It’s only when managers in an organization understand and appreciate information security risks that they will authorize their IT department to develop an effective set of controls. Most directors in the U.S. government do not have people in their organizations with the expertise and power to make changes, and many staff members are just not right for the job. OPM director Katherine Archuleta had formerly been the National Political Director for
Barak Obama’s 2012 presidential reelection campaign. CIO Donna Seymour, who was supposed to advise Archuleta on how to manage risk in IT systems, was a career government employee for more than 34 years. She had some IT and management roles at the Department of Defense and other agencies and has a degree in computer science but no specific expertise in cybersecurity. It is also difficult to bring in experienced managers from the business world because federal government pay scales are so low. A chief information officer (CIO) or chief information security officer (CISO) in the federal government would probably be paid about $168,000 annually, whereas an equivalent position in the private sector would probably have annual compensation of $400,000. Since the OPM break-in, there has been a massive effort to rectify years of poor IT management. OPM is moving toward more centralized management of security.
Information system security officers (ISSOs) report directly to a CISO. These positions are filled by individuals with professional security backgrounds. OPM hired a cybersecurity advisor, Clifton Triplett, and increased its IT modernization budget from $31 million to $87 million, with another $21 million scheduled for 2016. OPM told current and former federal employees they could have free credit monitoring for 18 months to make sure their identities had not been stolen, but it has been slapped with numerous lawsuits from victims. Seymour faces a lawsuit for her role in failing to protect millions of personal employee data files, and Archuleta had to resign. The FBI and Department of Homeland Security released a “cyber alert” memo describing lessons learned from the OPM hack. The memo lists generally recommended security practices for OPM to adopt, including encrypting data, activating a personal firewall at agency workstations, monitoring users’ online habits, and blocking potentially malicious sites. The Obama administration
ordered a 30-day Cybersecurity Sprint across all agencies to try to fix the big problems. Without a strong foundation, this investment could prove futile in the long run. OPM and the federal government as a whole need to invest more in managers with IT security expertise and give those individuals real authority to act. What about other federal agencies storing sensitive information? The news is not good. An audit issued before the Chinese attacks pointed to lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission, and even the Department of Homeland Security, which is responsible for securing the nation’s critical networks and infrastructure. Computer security failure remains across agencies even though the U.S. government has spent at least $65 billion on security since 2006.
Sources: Sean Lyngaas, “What DHS and the FBI Learned from the OPM Breach,” FCW, January 11, 2016; Brendan L. Koerner, “Inside the Cyberattack that Shocked the U.S. Government,” Wired, October 23, 2016; Michael Adams, “Why the OPM Hack Is Worse Than You Imagined,” Lawfare, March 11, 2016; Adam Rice, “Warnings, Neglect and a Massive OPM Breach,” SearchSecurity.com, accessed June 15, 2016; Steve Rosenbush, “The Morning Download: Outdated Tech Infrastructure Led to Massive OPM Breach,” Wall Street Journal, July 10, 2015; Mark Mazzette and David E. Sanger, “U.S. Fears Data Stolen by Chinese Hacker Could Identify Spies,” New York Times, July 24, 2015; Damian Paletta and Danny Yadron, “OPM Ratches Up Estimate of Hack’s Scope” Wall Street Journal, July 9, 2015; and David E. Sanger, Nicole Perlroth, and Michael D. Shear, “Attack Gave Chinese Hackers Privileged Access to U.S. Systems,” New York Times, June 20, 2015.
Case Study Questions MyLab MIS Go to the Assignments section of MyLab MIS to complete these writing exercises. 8-13 List and describe the security and control weaknesses at OPM that are discussed in this case. 8-14 What people, organization, and technology factors contributed to these problems? How much was management responsible? 8-15 What was the impact of the OPM hack? 8-16 Is there a solution to this problem? Explain your answ er. 8-17 Describe three spoofing tactics employed in identity theft by using information systems. 8-18 Describe four reasons mobile devices used in business are difficult to secure.
Case Study U.S. Office of Personnel Management Data Breach No

Recommended

Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
Rapid7
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
LizbethQuinonez813
 
Top 5 it security threats for 2015
Top 5 it security threats for 2015Top 5 it security threats for 2015
Top 5 it security threats for 2015
Bev Robb
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
Numaan Huq
 
Junyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposalJunyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposal
Junyan Wu
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
ERPScan
 
This assignment covers chapter 8 and is due by 1000 p.m on Monday.docx
This assignment covers chapter 8 and is due by 1000 p.m on Monday.docxThis assignment covers chapter 8 and is due by 1000 p.m on Monday.docx
This assignment covers chapter 8 and is due by 1000 p.m on Monday.docx
christalgrieg
 
Great Chinese Hack of the United States Government's Personnel Office in 2015
Great Chinese Hack of the United States Government's Personnel Office in 2015Great Chinese Hack of the United States Government's Personnel Office in 2015
Great Chinese Hack of the United States Government's Personnel Office in 2015
Dr. Tim Dosemagen
 

Recommended

Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
Rapid7
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
LizbethQuinonez813
 
Top 5 it security threats for 2015
Top 5 it security threats for 2015Top 5 it security threats for 2015
Top 5 it security threats for 2015
Bev Robb
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
Numaan Huq
 
Junyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposalJunyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposal
Junyan Wu
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
ERPScan
 
This assignment covers chapter 8 and is due by 1000 p.m on Monday.docx
This assignment covers chapter 8 and is due by 1000 p.m on Monday.docxThis assignment covers chapter 8 and is due by 1000 p.m on Monday.docx
This assignment covers chapter 8 and is due by 1000 p.m on Monday.docx
christalgrieg
 
Great Chinese Hack of the United States Government's Personnel Office in 2015
Great Chinese Hack of the United States Government's Personnel Office in 2015Great Chinese Hack of the United States Government's Personnel Office in 2015
Great Chinese Hack of the United States Government's Personnel Office in 2015
Dr. Tim Dosemagen
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
Amy Stowers
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
David Sweigert
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
Priyanka Aash
 
Data Breach Research Plan 72415 FINAL
Data Breach Research Plan 72415 FINALData Breach Research Plan 72415 FINAL
Data Breach Research Plan 72415 FINAL
Joseph White MPA CPM
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
Protected Harbor
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
EMC
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
wardell henley
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
hyacinthshackley2629
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
Trouble with the terroriest
Trouble with the terroriestTrouble with the terroriest
Trouble with the terroriest
baqerz
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
Robert Craig
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
blondellchancy
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
msdee3362
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
seadeloitte
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
ChanceBrooksAn Introduction to Derivatives and RiskMana
ChanceBrooksAn Introduction to Derivatives and RiskManaChanceBrooksAn Introduction to Derivatives and RiskMana
ChanceBrooksAn Introduction to Derivatives and RiskMana
MaximaSheffield592
 
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSSChapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
MaximaSheffield592
 

More Related Content

Similar to Case Study U.S. Office of Personnel Management Data Breach No

Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
Amy Stowers
 
Data Breach Research Plan 72415 FINAL
Data Breach Research Plan 72415 FINALData Breach Research Plan 72415 FINAL
Data Breach Research Plan 72415 FINAL
Joseph White MPA CPM
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
hyacinthshackley2629
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
Trouble with the terroriest
Trouble with the terroriestTrouble with the terroriest
Trouble with the terroriest
baqerz
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
blondellchancy
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
msdee3362
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 

Similar to Case Study U.S. Office of Personnel Management Data Breach No (20)

Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
Data Breach Research Plan 72415 FINAL
Data Breach Research Plan 72415 FINALData Breach Research Plan 72415 FINAL
Data Breach Research Plan 72415 FINAL
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
 
Trouble with the terroriest
Trouble with the terroriestTrouble with the terroriest
Trouble with the terroriest
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
 

More from MaximaSheffield592

ChanceBrooksAn Introduction to Derivatives and RiskMana
ChanceBrooksAn Introduction to Derivatives and RiskManaChanceBrooksAn Introduction to Derivatives and RiskMana
ChanceBrooksAn Introduction to Derivatives and RiskMana
MaximaSheffield592
 
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSSChapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
MaximaSheffield592
 
Chapter 1 OutlineI. Thinking About DevelopmentA. What Is Hum
Chapter 1 OutlineI. Thinking About DevelopmentA. What Is HumChapter 1 OutlineI. Thinking About DevelopmentA. What Is Hum
Chapter 1 OutlineI. Thinking About DevelopmentA. What Is Hum
MaximaSheffield592
 
Chapter 1 Juvenile Justice Myths and RealitiesMyths and Reali
Chapter 1 Juvenile Justice Myths and RealitiesMyths and RealiChapter 1 Juvenile Justice Myths and RealitiesMyths and Reali
Chapter 1 Juvenile Justice Myths and RealitiesMyths and Reali
MaximaSheffield592
 
Chapter 1 Introduction to the Fundamentals of LawFundamentals
Chapter 1 Introduction to the Fundamentals of LawFundamentalsChapter 1 Introduction to the Fundamentals of LawFundamentals
Chapter 1 Introduction to the Fundamentals of LawFundamentals
MaximaSheffield592
 
CHAPTER 1 Philosophy as a Basis for Curriculum Decisio
CHAPTER 1 Philosophy as a Basis for Curriculum DecisioCHAPTER 1 Philosophy as a Basis for Curriculum Decisio
CHAPTER 1 Philosophy as a Basis for Curriculum Decisio
MaximaSheffield592
 
Chapter 1 Introduction Criterion• Introduction – states general
Chapter 1 Introduction Criterion• Introduction – states general Chapter 1 Introduction Criterion• Introduction – states general
Chapter 1 Introduction Criterion• Introduction – states general
MaximaSheffield592
 
Chapter 1 IntroductionThis research paper seeks to examine the re
Chapter 1 IntroductionThis research paper seeks to examine the reChapter 1 IntroductionThis research paper seeks to examine the re
Chapter 1 IntroductionThis research paper seeks to examine the re
MaximaSheffield592
 
Chapter 1 from Business Communication for Success was adapted
Chapter 1 from Business Communication for Success was adapted Chapter 1 from Business Communication for Success was adapted
Chapter 1 from Business Communication for Success was adapted
MaximaSheffield592
 
Chapter 1 Changing Organizations in Our Complex WorldCh
Chapter 1 Changing Organizations in Our Complex WorldChChapter 1 Changing Organizations in Our Complex WorldCh
Chapter 1 Changing Organizations in Our Complex WorldCh
MaximaSheffield592
 
CHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDev
CHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDevCHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDev
CHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDev
MaximaSheffield592
 
Chapter 1 Introduction to Career Development in the Global Econo
Chapter 1 Introduction to Career Development in the Global EconoChapter 1 Introduction to Career Development in the Global Econo
Chapter 1 Introduction to Career Development in the Global Econo
MaximaSheffield592
 
Chapter 1 Goals and Governance of the CorporationChapter 1 Le
Chapter 1 Goals and Governance of the CorporationChapter 1 LeChapter 1 Goals and Governance of the CorporationChapter 1 Le
Chapter 1 Goals and Governance of the CorporationChapter 1 Le
MaximaSheffield592
 
Chapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-Assessm
Chapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-AssessmChapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-Assessm
Chapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-Assessm
MaximaSheffield592
 
Chapter 01Real Estate Investment Basic Legal Concepts
Chapter 01Real Estate Investment Basic Legal ConceptsChapter 01Real Estate Investment Basic Legal Concepts
Chapter 01Real Estate Investment Basic Legal Concepts
MaximaSheffield592
 
Chapter 1 The Americas, Europe, and Africa Before 1492
Chapter 1 The Americas, Europe, and Africa Before 1492 Chapter 1 The Americas, Europe, and Africa Before 1492
Chapter 1 The Americas, Europe, and Africa Before 1492
MaximaSheffield592
 
Chapter 1 - Overview Gang Growth and Migration Studies v A
Chapter 1 - Overview Gang Growth and Migration Studies v AChapter 1 - Overview Gang Growth and Migration Studies v A
Chapter 1 - Overview Gang Growth and Migration Studies v A
MaximaSheffield592
 
Chapter 06 Video Case - Theo Chocolate CompanyVideo Transcript
Chapter 06 Video Case - Theo Chocolate CompanyVideo TranscriptChapter 06 Video Case - Theo Chocolate CompanyVideo Transcript
Chapter 06 Video Case - Theo Chocolate CompanyVideo Transcript
MaximaSheffield592
 
Chapter 08 Motor Behavior8Motor BehaviorKatherine
Chapter 08 Motor Behavior8Motor BehaviorKatherine Chapter 08 Motor Behavior8Motor BehaviorKatherine
Chapter 08 Motor Behavior8Motor BehaviorKatherine
MaximaSheffield592
 
Changes in APA Writing Style 6th Edition (2006) to 7th Edition O
Changes in APA Writing Style 6th Edition (2006) to 7th Edition OChanges in APA Writing Style 6th Edition (2006) to 7th Edition O
Changes in APA Writing Style 6th Edition (2006) to 7th Edition O
MaximaSheffield592
 

More from MaximaSheffield592 (20)

ChanceBrooksAn Introduction to Derivatives and RiskMana
ChanceBrooksAn Introduction to Derivatives and RiskManaChanceBrooksAn Introduction to Derivatives and RiskMana
ChanceBrooksAn Introduction to Derivatives and RiskMana
 
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSSChapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
Chapter 1 Overview of geneticsQUESTIONS FOR RESEARCH AND DISCUSS
 
Chapter 1 OutlineI. Thinking About DevelopmentA. What Is Hum
Chapter 1 OutlineI. Thinking About DevelopmentA. What Is HumChapter 1 OutlineI. Thinking About DevelopmentA. What Is Hum
Chapter 1 OutlineI. Thinking About DevelopmentA. What Is Hum
 
Chapter 1 Juvenile Justice Myths and RealitiesMyths and Reali
Chapter 1 Juvenile Justice Myths and RealitiesMyths and RealiChapter 1 Juvenile Justice Myths and RealitiesMyths and Reali
Chapter 1 Juvenile Justice Myths and RealitiesMyths and Reali
 
Chapter 1 Introduction to the Fundamentals of LawFundamentals
Chapter 1 Introduction to the Fundamentals of LawFundamentalsChapter 1 Introduction to the Fundamentals of LawFundamentals
Chapter 1 Introduction to the Fundamentals of LawFundamentals
 
CHAPTER 1 Philosophy as a Basis for Curriculum Decisio
CHAPTER 1 Philosophy as a Basis for Curriculum DecisioCHAPTER 1 Philosophy as a Basis for Curriculum Decisio
CHAPTER 1 Philosophy as a Basis for Curriculum Decisio
 
Chapter 1 Introduction Criterion• Introduction – states general
Chapter 1 Introduction Criterion• Introduction – states general Chapter 1 Introduction Criterion• Introduction – states general
Chapter 1 Introduction Criterion• Introduction – states general
 
Chapter 1 IntroductionThis research paper seeks to examine the re
Chapter 1 IntroductionThis research paper seeks to examine the reChapter 1 IntroductionThis research paper seeks to examine the re
Chapter 1 IntroductionThis research paper seeks to examine the re
 
Chapter 1 from Business Communication for Success was adapted
Chapter 1 from Business Communication for Success was adapted Chapter 1 from Business Communication for Success was adapted
Chapter 1 from Business Communication for Success was adapted
 
Chapter 1 Changing Organizations in Our Complex WorldCh
Chapter 1 Changing Organizations in Our Complex WorldChChapter 1 Changing Organizations in Our Complex WorldCh
Chapter 1 Changing Organizations in Our Complex WorldCh
 
CHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDev
CHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDevCHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDev
CHAPTER 1 CURRICULUM AND INSTRUCTION DEFINEDDev
 
Chapter 1 Introduction to Career Development in the Global Econo
Chapter 1 Introduction to Career Development in the Global EconoChapter 1 Introduction to Career Development in the Global Econo
Chapter 1 Introduction to Career Development in the Global Econo
 
Chapter 1 Goals and Governance of the CorporationChapter 1 Le
Chapter 1 Goals and Governance of the CorporationChapter 1 LeChapter 1 Goals and Governance of the CorporationChapter 1 Le
Chapter 1 Goals and Governance of the CorporationChapter 1 Le
 
Chapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-Assessm
Chapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-AssessmChapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-Assessm
Chapter 1 Adjusting to Modern Life EXERCISE 1.1 Self-Assessm
 
Chapter 01Real Estate Investment Basic Legal Concepts
Chapter 01Real Estate Investment Basic Legal ConceptsChapter 01Real Estate Investment Basic Legal Concepts
Chapter 01Real Estate Investment Basic Legal Concepts
 
Chapter 1 The Americas, Europe, and Africa Before 1492
Chapter 1 The Americas, Europe, and Africa Before 1492 Chapter 1 The Americas, Europe, and Africa Before 1492
Chapter 1 The Americas, Europe, and Africa Before 1492
 
Chapter 1 - Overview Gang Growth and Migration Studies v A
Chapter 1 - Overview Gang Growth and Migration Studies v AChapter 1 - Overview Gang Growth and Migration Studies v A
Chapter 1 - Overview Gang Growth and Migration Studies v A
 
Chapter 06 Video Case - Theo Chocolate CompanyVideo Transcript
Chapter 06 Video Case - Theo Chocolate CompanyVideo TranscriptChapter 06 Video Case - Theo Chocolate CompanyVideo Transcript
Chapter 06 Video Case - Theo Chocolate CompanyVideo Transcript
 
Chapter 08 Motor Behavior8Motor BehaviorKatherine
Chapter 08 Motor Behavior8Motor BehaviorKatherine Chapter 08 Motor Behavior8Motor BehaviorKatherine
Chapter 08 Motor Behavior8Motor BehaviorKatherine
 
Changes in APA Writing Style 6th Edition (2006) to 7th Edition O
Changes in APA Writing Style 6th Edition (2006) to 7th Edition OChanges in APA Writing Style 6th Edition (2006) to 7th Edition O
Changes in APA Writing Style 6th Edition (2006) to 7th Edition O
 

Recently uploaded

SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
Peter Brusilovsky
 

Recently uploaded (20)

BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
 
Mattingly "AI & Prompt Design: Named Entity Recognition"
Mattingly "AI & Prompt Design: Named Entity Recognition"Mattingly "AI & Prompt Design: Named Entity Recognition"
Mattingly "AI & Prompt Design: Named Entity Recognition"
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
ANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptx
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....
 
Supporting Newcomer Multilingual Learners
Supporting Newcomer Multilingual LearnersSupporting Newcomer Multilingual Learners
Supporting Newcomer Multilingual Learners
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptx
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
 
demyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxdemyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptx
 
How to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptxHow to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptx
 
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUMDEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
 
Major project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategiesMajor project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategies
 
Improved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio AppImproved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio App
 
Trauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical PrinciplesTrauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical Principles
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptx
 
An overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismAn overview of the various scriptures in Hinduism
An overview of the various scriptures in Hinduism
 
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
 
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportBasic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
 

Case Study U.S. Office of Personnel Management Data Breach No

  • 1. Case Study U.S. Office of Personnel Management Data Breach: No Routine Hack The U.S. Office of Personnel Management (OPM) is responsible for recruiting and retaining a world-class workforce to serve the American people and is also responsible for background investigations on prospective employees and security clearances. In June 2015, the OPM announced that it had been the target of a data breach targeting the records of as many as 4 million people. In the following months, the number of stolen records was upped to 21.5 million. This was no routine hack. It is the greatest theft of sensitive personnel data in history. Information targeted in the breach included personally identifiable information such as social security numbers as well as names, dates and places of birth, and addresses. Also stolen was detailed security clearance–related background information. This included records of people who had undergone background checks but who were not necessarily current or former government employees. The data breach is believed to have begun in March 2014 and perhaps earlier, but it was not noticed by the OPM until April 2015, and it is unclear how it was actually discovered. The intrusion occurred before OPM
  • 2. had finished implementing new security procedures that restricted remote access for network administrators and reviewed all Internet connections to the outside world. U.S. government officials suspect that the breach was the work of Chinese hackers, although there is no proof that it was actually sponsored by the Chinese government. Chinese officials have denied involvement. The attackers had stolen user credentials from contractor KeyPoint Government Solution s to access OPM networks, most likely through social engineering. The hackers then planted malware, which installed itself within OPM’s network and established a backdoor for plundering data. From there, attackers escalated their privileges to gain access to a wide range of OPM systems. The hackers’ biggest prize was probably more than 20 years of background check data on the highly sensitive 127-page Standard Forms SF-86 Questionnaire for
  • 3. National Security Positions. SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. OPM information related to the background investigations of current, former, and prospective federal government employees, including U.S. military personnel, and those for whom a federal background investigation was conducted, may have been extracted. Government officials say that the exposure of security clearance information could pose a problem for years. The Central Intelligence Agency (CIA) does not use the OPM system, and its records were protected during the breach. However, intelligence and congressional officials worried that the hackers or Chinese intelligence operatives could still use the detailed OPM information they did obtain to identify U.S. spies by process of elimination. If they combined the stolen data with other information gathered over time, they could use big data analytics to identify operatives.
  • 4. The potential exposure of U.S. intelligence officers could prevent many of them from ever being posted abroad again. Adm. Michael S. Rogers, director of the National Security Agency, suggested that the personnel data could also be used to develop “spear phishing” attacks on government officials. In such attacks, victims are duped into clicking on what appear to be emails from people they know, allowing malware into their computer networks. The stolen data also included 5.6 million sets of fingerprints. According to biometrics expert Ramesh Kesanupalli, this could compromise secret agents because they could be identified by their fingerprints even if their names had been changed. The OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office
  • 5. of the Inspector General semiannual report to Congress mentioned persistent deficiencies in OPM’s information system security program, including incomplete security authorization packages, weaknesses in testing information security controls, and inaccurate plans of action and milestones. Security experts have stated that the biggest problem with the breach was not OPM’s failure to prevent remote break-ins but the absence of mechanisms to detect outside intrusion and inadequate encryption of sensitive data. Assistant Secretary for Cybersecurity and Communications Andy Ozment pointed out that if someone has the credentials of a user on the network, then he or she can access data even if they are encrypted, so encryption in this instance would not have protected the OPM data. OPM was saddled with outdated technology and weak management. A DHS Federal Information Security Management Act (FISMA) Audit for fiscal year 2014 and audit of the Office of the Inspector General found
  • 6. serious flaws in OPM’s network and the way it was managed. OPM did not maintain an inventory of systems and baseline configurations, with 11 servers operating without valid authorization. The auditors could not independently verify OPM’s monthly automated vulnerability scanning program for all servers. There was no senior information security specialist or chief information security officer (CISO) responsible for network security. OPM lacked an effective multifactor authentication strategy and had poor management of user rights, inadequate monitoring of multiple systems, many unpatched computers, and a decentralized and ineffective cybersecurity function. Sensitive data were unencrypted and stored in old database systems that were vulnerable. What’s more, OPM used contractors in China to manage some of its databases. These deficiencies had been pointed out to OPM over and over again since a FISMA audit in 2007. OPM had the vulnerabilities, no security-oriented leadership, and a skillful and motivated adversary.
  • 7. Some security experts see OPM’s vulnerabilities as a sign of the times, a reflection of large volumes of data, contemporary network complexity, weak organizational and cultural practices, and a legacy of outdated and poorly written software. As Thomas Bayer, CIO at Standard & Poor’s Ratings, explained, until you have a serious data breach like the OPM hack, everyone invests in other things. It’s only when a massive data breach occurs that organizations focus on their infrastructure. The expertise and technology for halting or slowing down cyberattacks such as that on OPM are not a mystery, and many companies and some government organizations are effectively defending themselves against most of the risks they face. OPM lacked leadership and accountability. The prevailing mentality was for everyone to sit and bide their time. The CEO, CIO, and CISO in a private organization would be held accountable by the board of directors.
  • 8. OPM is a top-heavy organization, with a large management layer of senior advisers to the director. For example, CIO Donna Seymour has 28 staff members under her and four direct reporting organizations, none of which is security-focused. There is no listed CISO function. OPM’s director has 62 senior leaders in four groups. Many OPM managers are politically appointed and lack the expertise to make informed decisions about cybersecurity. It’s only when managers in an organization understand and appreciate information security risks that they will authorize their IT department to develop an effective set of controls. Most directors in the U.S. government do not have people in their organizations with the expertise and power to make changes, and many staff members are just not right for the job. OPM director Katherine Archuleta had formerly been the National Political Director for
  • 9. Barak Obama’s 2012 presidential reelection campaign. CIO Donna Seymour, who was supposed to advise Archuleta on how to manage risk in IT systems, was a career government employee for more than 34 years. She had some IT and management roles at the Department of Defense and other agencies and has a degree in computer science but no specific expertise in cybersecurity. It is also difficult to bring in experienced managers from the business world because federal government pay scales are so low. A chief information officer (CIO) or chief information security officer (CISO) in the federal government would probably be paid about $168,000 annually, whereas an equivalent position in the private sector would probably have annual compensation of $400,000. Since the OPM break-in, there has been a massive effort to rectify years of poor IT management. OPM is moving toward more centralized management of security.
  • 10. Information system security officers (ISSOs) report directly to a CISO. These positions are filled by individuals with professional security backgrounds. OPM hired a cybersecurity advisor, Clifton Triplett, and increased its IT modernization budget from $31 million to $87 million, with another $21 million scheduled for 2016. OPM told current and former federal employees they could have free credit monitoring for 18 months to make sure their identities had not been stolen, but it has been slapped with numerous lawsuits from victims. Seymour faces a lawsuit for her role in failing to protect millions of personal employee data files, and Archuleta had to resign. The FBI and Department of Homeland Security released a “cyber alert” memo describing lessons learned from the OPM hack. The memo lists generally recommended security practices for OPM to adopt, including encrypting data, activating a personal firewall at agency workstations, monitoring users’ online habits, and blocking potentially malicious sites. The Obama administration
  • 11. ordered a 30-day Cybersecurity Sprint across all agencies to try to fix the big problems. Without a strong foundation, this investment could prove futile in the long run. OPM and the federal government as a whole need to invest more in managers with IT security expertise and give those individuals real authority to act. What about other federal agencies storing sensitive information? The news is not good. An audit issued before the Chinese attacks pointed to lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission, and even the Department of Homeland Security, which is responsible for securing the nation’s critical networks and infrastructure. Computer security failure remains across agencies even though the U.S. government has spent at least $65 billion on security since 2006.
  • 12. Sources: Sean Lyngaas, “What DHS and the FBI Learned from the OPM Breach,” FCW, January 11, 2016; Brendan L. Koerner, “Inside the Cyberattack that Shocked the U.S. Government,” Wired, October 23, 2016; Michael Adams, “Why the OPM Hack Is Worse Than You Imagined,” Lawfare, March 11, 2016; Adam Rice, “Warnings, Neglect and a Massive OPM Breach,” SearchSecurity.com, accessed June 15, 2016; Steve Rosenbush, “The Morning Download: Outdated Tech Infrastructure Led to Massive OPM Breach,” Wall Street Journal, July 10, 2015; Mark Mazzette and David E. Sanger, “U.S. Fears Data Stolen by Chinese Hacker Could Identify Spies,” New York Times, July 24, 2015; Damian Paletta and Danny Yadron, “OPM Ratches Up Estimate of Hack’s Scope” Wall Street Journal, July 9, 2015; and David E. Sanger, Nicole Perlroth, and Michael D. Shear, “Attack Gave Chinese Hackers Privileged Access to U.S. Systems,” New York Times, June 20, 2015.
  • 13. Case Study Questions MyLab MIS Go to the Assignments section of MyLab MIS to complete these writing exercises. 8-13 List and describe the security and control weaknesses at OPM that are discussed in this case. 8-14 What people, organization, and technology factors contributed to these problems? How much was management responsible? 8-15 What was the impact of the OPM hack? 8-16 Is there a solution to this problem? Explain your answ er. 8-17 Describe three spoofing tactics employed in identity theft by using information systems. 8-18 Describe four reasons mobile devices used in business are difficult to secure.