Published on June 25th, 2015 | by admin
OPM Data Breach & The White House Security Sprint
There has been a noticeable shift in the types of cyber-attacks being committed. This coincides with the advent of digitization in our every day lives, which has caused online identity systems (such as the US National Strategy for Identities in Cyberspace or NSTIC, the UK Government Verify program and the European eID identity scheme, for example) to become more ubiquitous. This pivotal shift affects us all, as individuals, within our organization as well as our extended user base and customers. It’s moving us from direct financial hacking to the stealing of mass amounts of Personally Identifiable Information or PII. Identity theft, that is the type of information that is directly associated with our identity, now forms part of the new currency underworld with data such as social security numbers far outweighing the value of directly breached financial information. According to Javelin, in their Data Breach Fraud Impact report of June 2015, any business that contains social security numbers is particularly at threat from cyber criminals.
Recent U.S. based attacks, such as the Anthem and the Office of Personnel Management (OPM), show this PII directed attack is becoming normalized. In the OPM attack, the second in a year, around 4 million records of current and former federal employees were hacked and the data therein, stolen. The OPM data breach took information including personal data such as social security numbers, bank details, names and addresses and dates of birth. All the information you need to impersonate an identity. The aforementioned Anthem breach, similarly lost PII and the recent IRS attack, where around $50 million fraudulent tax claims were paid out, may have been a secondary attack based on stolen PII from Anthem.
(As an aside, both Anthem and OPM breaches have been attributed to the Chinese government, or associated groups, as information about the private lives of job applicants was also stolen in the OPM attack, which could be used for blackmail purposes. This is being hotly disputed at the moment and the Chinese government is denying responsibility.)
As for the attack vector, interestingly, it looks like both the OPM and the Anthem attacks were via malware that was signed with stolen digital certificates from a Korean company DTOPTOOLZ Co. This would fool a computer in allowing the malicious code to execute. In the recent Duqu 2.0 attack, a similar process occurred whereby a digital certificate from a Taiwanese company, Foxconn, was used in the same way. It has been postulated that certificates from this part of the world are used to try and put blame for the hacks on the Chinese, when in fact, in the case of Duqu 2.0, Israel was the likely culprit.
We have this movement to a more information, PII related threat, but our tried and tested tools to prevent data leakage are failing us. It has been shown that anti-virus software is becoming less and less effective. Imperva carried out an investigation into the effectiveness of anti-virus / anti-malware software which worryingly found that the detection rate of newly created viruses was only 5% and that some AV software could take up to 4 weeks to detect some viruses. This is, in part, because of the speedy issuance of malware by cyber criminals into the landscape, coupled with the use of legitimate digital certificates to run that malicious code, so that AV software definitions just literally can’t keep up. The report did also point out that it was time to look at better and more intelligent systems, such as those that can monitor and analyze behavior, than simply rely on now outmoded AV software.
So we find ourselves in a type of arms race that, unfortunately, anti-malware software is losing. In the case of the OPM breach, the system used by U.S. Federal government to detect malware is known as EINSTEIN and the EINSTEIN system in the OPM case seems to be suffering from the same health issues as anti-virus software. The EINSTEIN system failed because it was playing catch up – because it relies on creating signatures based on known threats.
Because of all the cyber attacks, the U.S. federal government is now embarking on a ‘30-day Cybersecurity Sprint’ initiated by the United States Chief Information Officer (CIO) Tony Scott. The hyperlinked details go into the types of security measures that federal agencies must put in place. These are laudable and needed, of course, but the phrase containing the words stable door, horse, and bolted spring to mind. The fact that the employees who are affected by the OPM breach are now being given identity theft monitoring and insurance confirms this.
If ever there was a case for sharing security information, this is it. Our own information is being targeted, which puts us all at risk. And governments are one of the key targeted areas that have vital details on new malware threats. Visibility of security analytics and data sharing needs to be part of our everyday security strategy. Likewise, rapid remediation solutions are increasingly critical to simplify complex, manual post-attack investigations so we can retrieve these pertinent threat details sooner. Without this intelligence shoring up our security tools, we may as well leave that stable door truly open.