Today the national and federal press announced a “massive” breach of federal personnel data housed at the Office of Personnel Management (OPM) within the Department of Homeland Security (DHS). Following an earlier breach discovered in March 2014, the breach is said to have exposed the personally identifiable information (PII) of up to four million federal employees. The Washington Post reported that U.S. officials suspect the Chinese government to be behind the attack, which represents “the second significant foreign breach into U.S. government networks in recent months.”
What the OPM is Doing RightWhile this state-sponsored attack on federal employees and their agencies is an act of espionage and therefore of grave concern to the nation, I see signs in the news coverage that the OPM is taking action that is deserving of praise. As noted in the recent Washington Post coverage, “After the earlier breach discovered in March 2014, the OPM undertook ‘an aggressive effort to update our cybersecurity posture, adding numerous tools and capabilities to our networks,’ Seymour said. ‘As a result of adding these tools, we were able to detect this intrusion into our networks.’”
This type of response to an initial breach is not only appropriate, but exemplary. Government agencies need to be proactive, because many realize that breaches like the recent Sony attack prove that the enemy may already be within their gates—and sometimes cruising the network for months before they’re detected.
Key Takeaway: Be ProactiveMany organizations—in both private and public sectors-- house extremely sensitive data. High-value data is ideally confined to properly fortified servers, and tightly sealed off with aggressive whitelisting and rigorous audits. Multi-factor authentication and strong passwords are critical, and there’s a new tactic that becomes more crucial with every hack we learn about: active, ongoing anomaly hunting.
Sensitive data tends to congregate on network endpoints such as laptops and servers, and it has a habit of multiplying into errant, unauthorized copies in unauthorized storage locations. For that reason, it’s essential for today’s security teams to create and regularly update baselines of normal activity for each endpoint that houses sensitive data, and to then actively watch for signs of anomalous behavior against those baselines.
Today’s threat actors are deploying malware in unusual places--such as the UDP channel--that are not visible with most security tools. With its exclusive ability to gain visibility of the endpoint even below the operating system, EnCase® Endpoint Security was designed to see the unseen by helping you baseline normal behavior across all your organizational endpoints, then watch for signs that something unusual is happening. After all, anomalies are the hallmark of infiltration.
Comments? Are you proactively hunting threats in your systems? We welcome discussion in the section below, whether on this topic or on one you would like to see us write about here in the blog.
Michael Harris is the Chief Marketing Officer at Guidance Software.