Post-OPM Breach: Closing Today's Federal Security Gaps

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8
Next Post-OPM Breach: Closing Today's Federal Security Gaps-2 Next

Understand NIST's Cyber Security Framework

NIST's Cyber Security Framework (CSF) is an important standard that forms a baseline for government agencies and private organizations operating in critical infrastructure to use to secure assets and sensitive information. The CSF leverages existing standards that are constantly being revised and improved to address emerging cyber threats.

For background, version 1.0 of the CSF was issued in February 2014. It was developed in response to President Obama's Executive Order, "Improving Critical Infrastructure Cybersecurity" that was released in 2013. The CSF was initially intended for companies that are part of the nation's critical infrastructure, defined as "Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

However, NIST urges all organizations, from Fortune 1000 enterprises to small businesses, to consider applying the Framework in order to manage cybersecurity risks. It is being widely adopted across a range of industries, especially within financial services. This is a step in the right direction, as it means organizations of all shapes and sizes can use the same concepts and language when discussing the essential elements of a cybersecurity program. As a result, security professionals can begin to compare apples to apples across different domains. That said, all government agencies must practice what they preach and rigorously apply the CSF. Every federal organization should be assessed and be scrupulously held to these standards, as private companies are. In the case of the OPM, the Federal government is not "leading by example" – this needs to change in order to lessen and ultimately prevent repeated attacks.

Early in June it was reported that the Office of Personnel Management (OPM), a civilian-run government agency, experienced a data breach of its computer systems, giving suspected Chinese state-sponsored hackers access to up to four million records of former and current federal employees. The hack was so extensive that the retrieved information stemmed as far back as 1985. However, new reports show that the attack could be more than four times more devastating than initially estimated, and the number of people impacted could increase. In fact, the tally of those affected is now being revealed as the OPM sends out notices to people who are potentially impacted. Even more unnerving is that a 2014 audit uncovered security inadequacies within the OPM system, yet they were not reported until several months after detection.

Unlike previous major cyber attacks we have seen over the last year, the exposed data was not just limited to PII (Personally Identifiable Information) such as Social Security numbers, birthdates, and bank information. During this breach hackers accessed highly confidential employee background checks, containing information on their friends, family and past employment. Even private details such as mental illness treatments, lie detector test results, bankruptcy filings, and run-ins with the law were retrieved. At this point, according to Yo Delmar, vice president, GRC Solutions, MetricStream, we are unaware of the full impact of this breach; but if history is any indicator, it's highly likely that those responsible for the hack may already be using the stolen information in malicious, and highly illegal, ways.

Following the massive breach, what we must now focus on is what can be done at the federal level to prevent such devastating reoccurrences. According to Delmar, there are several steps that need to be taken in order to address today's security gaps in government. These include: fully understanding the details of the NIST's Cyber Security Framework (CSF) and actively putting practices into action; developing and implementing a remediation plan to ensure security standards are being met; closing the gap in response time and maintaining transparency throughout with key stakeholders; recognizing the auditor's evolved role in cybersecurity; and understanding where federal security investments should be headed.


Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

More Slideshows

PAM PAM Solutions: Critical to Securing Privileged Access

To protect the company from those insiders who abuse their privileged access and from hackers with stolen credentials, many companies are turning to a privileged access management (PAM) solution. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

blockchain The World According to Blockchain

Blockchain comes with many costs and is surrounded by confusion. Here, we examine realistic use cases, drawbacks and the potential of blockchain. ...  More >>

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.