How OPM lost my identity, and how they could have prevented it

Oct. 6, 2015
Until policies are firm, government employees and contractors must monitor their identity risk

This past July marked the 11th anniversary of HSPD-12, the presidential directive signed by President George W. Bush in 2004 to ensure the use of "secure and reliable forms of identification" across government agencies.

Earlier this year, the Office of Management and Budget (OMB) released a report card illustrating that strong authentication – a tenet of HSPD-12—had been implemented across just 41 percent of civilian agency user accounts. At that time, several agencies had not implemented any smart card network access controls.

As report cards do, it was made clear where there was room for improvement. And it was equally clear that government agencies are facing myriad challenges in meeting HSPD-12 requirements. This should not come as a surprise. Until you’ve tried to implement a security protocol across a large government agency, you have no idea what’s required. I’ve participated in the implementation of several, and I can tell you it isn’t easy.

This time it was personal; I was compromised

Just weeks after the report card was issued, the Office of Personnel Management (OPM) announced it had discovered "two separate but related cybersecurity incidents" that had impacted the data of millions of federal government employees, contractors and others. The name, date of birth, home address and Social Security numbers of 4.2 million current and former federal government employees had been stolen. 

I was one of the unlucky ones, finding myself among those whose personal data was stolen. Of course, this isn’t the first time my data has been hijacked by undesirables, but this time it’s different. In my three previous experiences, the focus had been on my credit card and banking information. Basically, numbers distributed by financial organizations that could be easily reissued.

But OPM had my SF-86 security clearance questionnaire on file. And with that, you can basically become me. And it listed not just my personally identifiable information, but also that of my spouse, friends, family, neighbors and associates. It included everything about me.

Then, the other shoe dropped

During the analysis of the incident, OPM learned that additional information including the background investigation records of current, former and prospective federal employees and contractors had been compromised as well.  The agency ultimately concluded that the Social Security numbers of over 20 million applicants and their spouses were compromised. Applicants’ usernames and passwords were stolen, as were more than a million of their fingerprints. Notifications for this incident are not yet underway, so keep your fingers crossed.

How did it happen?

Hackers study their targets’ attack surfaces — nooks they can sneak into and once inside, move freely around the environment searching for information to exploit. This used to be primarily accomplished through phishing or malware, but next generation firewalls and intrusion detection technologies now prevent many of these types of attacks. The modern-day attack surface of choice is identity based. Hackers now prefer a more targeted, elegant strategy focused on highly privileged accounts that will give them the most access to the most resources.

Defined as authority over or permission to perform an action on a computer system, "privilege" may include the ability to create a directory, to read or delete a file, or to access a device. All users have some level of privilege — even if limited to their own email account — but some privileged users have significantly more. These users might be domain or database administrators or anyone with root privilege on UNIX or Linux servers. There are also the admin accounts built into the operating system itself, and these were apparently the attack surface used by the perpetrators at OPM.

According to Department of the Interior CIO Sylvia Burns, "The breach did not happen because of vulnerability at the DOI data center. It happened because of compromised credentials of a privileged user on the OPM side that then moved into DOI’s environment through a trusted connection."

In essence, the hackers were able to compromise one or more highly privileged accounts within OPM and then move laterally through the organization using a valid username and password and pulling any data they wanted.

The modern identity attack surface

Today’s identity attack surface consists of too many accounts across too many systems, too many users with excessive privilege and too many shared administrative accounts with shared passwords. For modern hackers this is a treasure trove of opportunity. So how do we shrink this attack surface and increase our security posture?

According to the National Institute of Standards and Technology (NIST), the key, outlined in documents SP 800-53 and SP 800-63, is to reduce the number of privileged accounts, enforce least-privilege across the enterprise (or agency) and employ smart cards for multifactor authentication (MFA) wherever possible. The Department of Homeland Security Continuous Diagnostics Mitigation (CDM) program now contains tool functional areas to address trust, behavior, credibility and privilege.

The good news is that we’re learning how to secure our data by securing our identities. The OPM breach has shone a spotlight on key vulnerabilities and the Office of Management and Budget has responded with a “30-Day Sprint” during which agencies must procure tools and implement changes to their systems to increase security.

The 30-day sprint to tighten policies and practices for privileged users

The 30-Day Sprint mandates that agencies should, to the greatest degree possible, minimize the number of privileged users, limit functions that can be performed through privileged accounts, limit the duration that privileged users can be logged in, limit the privileged functions that can be performed using remote access, and ensure that privileged user activities are logged and that such logs are reviewed regularly.

While these requirements are certainly a step in the right direction, it’s important to avoid a rushed panic that wastes money and effort. Agencies have received a “two-factor authentication (PIV/CAC) everywhere” mandate, but many are struggling to understand the details while others who believe they have an understanding offer multiple interpretations. 

The potential downside in too rapidly addressing HSPD-12 and the two-factor authentication  everywhere mandate is that agencies will simply revert to processes based on old security policy mandates like secondary privileged user “–A accounts” with PIV/CAC cards to address modern attacks.

These processes, established more than a decade ago, are antiquated and will not solve new problems. While issues must be addressed quickly, placing speed over efficacy is not the answer. The OPM incident should be viewed as an opportunity to get all agencies to employ modern, sophisticated solutions that directly respond to today’s more sophisticated hackers. 

Key ingredients for identity protection: In order to manage systems, admins require some privileges. But under no circumstances should admins -- or the people who might hack into their accounts -- get access to the entire environment with full unrestricted privileges. We must ensure that hackers cannot gain widespread privileges as was the case with OPM. So organizations must set up their administrator access in a way that minimizes risk but still provides them with the privileges needed to perform their jobs. Here are a few simple guidelines that would have gone a long way in keeping my identity safe:

  • Establish least-privilege administrator roles with granular privilege elevation: Provide privilege elevation for individual administrative tasks on specific computers that can be granted to a specific admin based on their role. This way, individual commands and tasks should be defined for each administrative role that’s required for various services such as Active Directory, SQL Server or Exchange. 
  • Centralize management of policies and roles: Leverage Active Directory to control which users are members of specific privileged roles. Many organizations have set up self-service interfaces to enable the admin to request a temporary privilege on a specific computer. Once approved, the management tool can then programmatically add the user to the Active Directory group or explicitly to the role that grants the permission.
  • Restrict domain admin group membership: Once a set of role-based administrator rights is established, secondary -A admin accounts are no longer needed and can be removed. There shouldn’t be a need for anyone to be in the Domain Admins group either, so its membership should be empty (save possibly a break-glass account with a member whose password is vaulted).
  • Lock down local and domain administrator passwords: Windows admins never need the administrator password on any computer in the environment since they will be using privilege elevation to perform duties. These should be treated the same as UNIX root accounts – locked away in a password management system never to be used (except in break-glass situations).
  • Enforce Smart Card-based strong authentication for administrators: Adherence to HSPD-12 requires Smart Card logins -- a great idea since a device with a Public Key Infrastructure (PKI) certificate is generally much more secure than a password. Using these devices is as simple as an admin plugging in a USB key or PIV card, and then remembering a single PIN or passphrase to unlock the device. If you lack a Certificate Authority (CA) setup, configuring your own Active Directory CA to issue Smart Cards to users is relatively easy.
  • Require re-authentication for privilege elevation: The easiest way to ensure that your admin is at the keyboard when they execute a privileged command is to challenge the user to re-authenticate with his Smart Card. 
  • Audit administrative actions: Security information officers use video feeds of user activity on sensitive systems to determine what’s happening to their servers and the intent behind administrative actions. Video session auditing and metadata capture provide insight into user activities. This can be narrowed to record only specific privileged commands to reduce the amount of data captured.

Had OPM implemented these capabilities, it’s still possible that the hackers would have gained entry into the systems, but it would have been much more challenging. Two-factor authentication would have created a nearly impassible roadblock. The minimal privileges held by the admin would have severely limited the hacker’s ability to move freely about the environment, and auditing would have raised a red flag to their activities earlier. 

There is light at the end of the tunnel

In 2008, the Identity, Credential and Access Management Subcommittee (ICAMSC) was formed under the Federal CIO with the expressed goal of aligning the identity management activities of the federal government. Today, the ICAMSC “oversees the development of policies, procedures and standards to address initiatives related to identity management, authentication and secure access for the federal government.”

Here is a document on ICAM Privileged User Instruction and Implementation Guidance from the subcommittee that outlines a number of processes meant to both limit insider threats as well as mitigate against modern-day cyber attacks. We’re headed in the right direction, but until we’ve implemented a solution across all agencies, it is essential that government employees, contractors and anyone else who’s had a background check monitor everything associated with their identity. There are services available today that can do this for you, and until we get all the necessary technologies implemented, they’re probably a good idea.

About the Author: Jack Miles is a Systems Engineering Manager at Centrify Corporation. While currently focused on the DoD and select civilian agencies, Jack has previously worked with a variety of federal, state and local governments and agencies to deploy hundreds of cyber security solutions.