The recent breach of the U.S. Office of Personnel Management has certainly been big news and the cause of lots of speculation. OPM says they provide over 90% of the Government’s background investigations, over two million each year.
Twitter has been busy with comments about how useful the contents of background information would be for constructing more convincing spear-phishing attacks and, more ominously, coercing people with access to sensitive information. After all, the background investigation is the result of the government’s best efforts at digging up all the dirt on an individual.
One question that quickly arises is why wasn’t all the data encrypted? “Ha ha, enjoy trying to get anything useful out of that enormous set of effectively random ciphertext.”
Well, no. Encryption is important, and that data certainly should have been encrypted, but that’s a solution to a different problem. I haven’t seen any details yet, not even vague outlines, about how the exploit happened. But usually some form of spear-phishing leads to inappropriately reading some hostile data into vulnerable software — load a hostile web page with a browser, or open a hostile document file with a PDF viewer or Office component. The result looks legitimate so no alarms are triggered, but in the background that individual user’s on-line identity has been stolen.
“Data at rest”, information stored in a long-term archive, certainly should be encrypted. But “data in use” must be decrypted so it can be read and, if appropriate, possibly modified by the user. (Yes, researchers are working on homomorphic encryption to allow covert computation on ciphertext, but they’re not there yet.)
If you can spoof or take over someone’s on-line identity, you have the same access to information that they do.
Encryption protects against data loss when hardware is lost or stolen, but entire racks of storage arrays aren’t usually stolen out of data centers.
Encryption also protects against data access by other users on the same system, who might be lower-privileged user accounts taken over by an intruder.
This is why the attackers do these spear-phishing attacks to steal privileged user access — it’s the best way, possibly the only way, to get the information.
I don’t know much about conducting background investigations, but that word “background” jumps out. To investigate a background, you have to look around where that background happened. Previous jobs, school, neighbors. Given the enormous number of investigations for issuing and maintaining security clearances, it just wouldn’t be practical without some form of remote access.
Practicality requires remote access to centralized data. Economic pressure forces this access to be over public networks instead of some enormously expensive nationwide OPM private network infrastructure.
The risk doesn’t change if it’s several data centers for the agency, or just one for the agency, or one data center shared by multiple agencies, What does matter is compartmentalizing the data over the set of privileged staff, limiting system administrators to the system itself and keeping them away from the encrypted data sets (the Ed Snowden Lesson), and protecting everyone’s authentication.
I wrote about identity federation risks earlier, it’s when you use a third-party authentication service to verify user identity and control their access authorizations. And, with Kerberos features added, control their use of cryptography. CA Secure Cloud (formerly CloudMinder) and RSA Federated Identity Management tools are prominent enterprise-scale authentication service providers.
The problem is, if someone steals access to a federated identity, then they suddenly have access to all the resources stored on all the in-house and cloud servers, public or private. Once you federate, all your eggs are in that basket.
All this comes down to risk management, something we discuss in the beginning of Learning Tree’s System and Network Security Introduction. As the OPM Hack has demonstrated, there is no simple best answer, and no perfect security. But improvements are obviously needed!