With the IRS breach and now the US Office of Personnel Management’s (OPM) breach, one has to wonder. Is this just bad luck or bad security?
One of the acclaimed culprits for breach to the IRS was the funding cuts and absence of high-level key IT security personnel. In the OPM’s case, where approximately 4 million US federal workers and 2.1 million current employees were affected, the blame was on security weaknesses in their IT security program, which they were working on when they uncovered the breach.
A little background on the OPM intrusion (for those who didn’t catch the story): it seems that about eleven major OPM information systems are operating without valid authorization and that the office doesn’t maintain a comprehensive inventory of servers, databases and network devices. Furthermore, routine system scans for vulnerabilities and continuous monitoring of all systems doesn’t take place.
The OPM intrusion dates back to December 2014 and was spotted in April 2015; the IRS intrusion attempts were made from February through mid-May 2015. This shows how intruders had ample time to get the information they were after. Although it’s only a matter of time before hackers get into a network, with the right information security system and plan in place, organizations should be able to spot these attempts and fix vulnerabilities sooner than later.
The fact that there are those who want to access an organization’s valuable data is widely known. Part of the reason for this knowledge is thanks to the breach disclosure mechanisms in place, but it is also because as the world becomes more digital data becomes more and more valuable. Even a blind man knows of the monetary value his private data and credentials hold; the only obstacle for them is that individuals aren’t running network systems. People trust those they do business with to take the necessary precautions to protect their data.
However little resources organizations have, they can seek for the information security expertise they need. Someone who can guide them towards the implementation of a holistic risk management program so that they can avoid the fate of massive breach such as those experienced by more organizations than we can count at this point (Target, Sony, Anthem, CareFirst, and the most recent, the IRS and now OPM).
It may seem like implementing an overall information security plan is still an option, that compliance and legislation is enough to keep a business up and running. Even if this is the case for now, it won’t be for long. Trends such as the IoT, remote devices, cloud technology, and remote databases (hosting tons of valuable information) are proof of this false sense of security.
Cyber-attack is becoming the next means for privately (and politically) motivated individuals to make the next “quick” buck or create havoc.
What infosec steps are you taking to avoid putting your business, employees, and customers at risk?
Photo courtesy of donskarpo