OPM Still Failing on Security After 2015 Breach

OPM Still Failing on Security After 2015 Breach

The US Office of Personnel Management (OPM) has still not implemented over a third of the recommendations made by government auditors after a devastating 2015 breach.

Some 29 recommendations remain “open” out of the 80 that were made by the Government Accountability Office (GAO). These include key best practice security steps which many would consider basic, such as installing the latest OS versions on networks supporting “high-impact” systems.

Also missing were plans to avoid multiple staff using the same admin accounts, password encryption at rest and in transit, and “procedures governing the use of special privileges on a key computer.”

Amazingly, the OPM has still not been able to demonstrate to the GAO that it has reset all passwords after the breach, or that it installs critical patches in a timely manner. Nor has it shown that it periodically evaluates accounts to ensure privileged access is warranted, or assesses controls on certain systems as part of continuous monitoring.

“Implementing all of the remaining open recommendations expeditiously is essential to OPM ensuring that appropriate security controls are in place and operating as intended,” a congressional briefing document noted.

“Until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption.”

These concerns are key, given that the OPM was breached, it is thought by Chines hackers, after they obtained credentials from a contractor.

This access was then used to install backdoors and subsequent info-stealing malware on the department’s network.

The incident exposed 21.5 million sensitive records relating to current and former federal employees including security clearance investigations which could prove useful for intelligence operatives looking to blackmail individuals.

The good news is that the OPM said it plans to implement 25 of the 29 open recommendations by the end of 2018 and three more by the end of fiscal year 2019.

Source: Information Security Magazine