Can universal security controls prevent the next big breach?
- By Sese Bennett
- Jun 11, 2015
Sese Bennett of LBMC Security and Risk Services argues that OPM should have been better prepared after an earlier breach.
The latest cyber breach at the Office of Personnel Management highlights a possible systemic flaw in the agency’s data security.
OPM said it became aware of the theft of personal information belonging to more than 4 million federal employees in April 2015 during an "aggressive effort" to update its cybersecurity systems. Naturally, this breach was splashed across the headlines.
Sound familiar? It should. OPM was the victim of a similar attack in July 2014.
In both cases, the same type of data was compromised, indicating that OPM should have made it a priority to identify how the initial breach occurred and then institute much stronger controls to prevent it from happening again. In situations where an environment experiences multiple breaches in a relatively short period of time, an analysis should be conducted to determine if the threat is advanced and persistent. If this was the case with OPM, one has to wonder if the networks had been compromised for longer than previously reported.
When we consider the recent breaches of Target, Sony Pictures, Anthem and OPM, what is common to all of these is that there has not been a universal standard for data security. Each organization has followed its own established standards, creating an inconsistent patchwork of security.
The old saying, never let a good crisis go to waste, certainly applies here. This OPM breach presents an excellent opportunity for the federal government to step in and spearhead the effort to establish universal standards for data security that government (federal, state and local) and the private sector can adopt and adhere to.
In 2012 the federal government launched its own data security standardization process with the creation of the Federal Risk and Authorization Management Program. This government-wide initiative provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP requires all cloud service providers that work with the federal government as of June 2014 meet a standardized set of rigorous security requirements.
FedRAMP is a step in the right direction, but more progress is needed to keep pace with the bad guys. Why not take it a step further and call for the creation of universal data security standards for the private sector as well? Doing so would provide much-needed assurance that the personal information of our nation’s citizens is protected.
Recent data thefts have included a range of personal information, from birthdates and Social Security numbers to security clearances, as the OPM breach clearly illustrated.
This is exactly the type of high-profile data that foreign states and criminal organizations target. Why? Because if they can “own the person,” they can also own whatever that person can access -- whether it’s financials, health care records or, in this case, federal government information.
Protecting data should be a universal mandate, and it will certainly require coordination and consistent implementation. Private industry shouldn’t wait on the government to take action. The OPM breach and others like it demonstrate the need for comprehensive and consistent information security standards across the board. Just as the government protects citizens from enemies both foreign and domestic, it must now band together with the private sector to combat cyber threats as well.
Sese Bennett is a senior manager for LBMC Security and Risk Services.