Remediation, call to action in response to massive breach of federal workers' PII

The United States Office of Personnel Management confirmed on June 4, 2015, that a cybersecurity attack may have impacted as many as 4 million current and former government workers. This new attack follows the recent intrusion of a consumer-facing web portal hosted by the Internal Revenue Service disclosed May 26 and the breach of an unclassified network at The White House reported in October 2014.

The recent OPM incident occurred during a window of vulnerability before the agency's network was reinforced with new security tools and capabilities, authorities said. Recently installed threat detection tools and capabilities led to the discovery in April 2015 of an intrusion that had been operating undetected for an unknown period.

"OPM has partnered with the U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to determine the full impact to federal personnel," the OPM stated, reiterating its continuous efforts to protect sensitive data by improving security best practices and information technology (IT) infrastructure monitoring.

In the wake of the data breach, the OPM beefed up network security alerts and restricted access to its networks by remote IT personnel. IT administrators are also reviewing ports and connections and deploying anti-malware across the enterprise to further protect the network.

Another remediation drill

OPM Director Katherine Archuleta said the OPM will honor its responsibility to secure the information stored in its systems and take additional measures to secure its network. "Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM," she said.

The OPM stated its plans to notify the approximately 4 million individuals whose personal identification information (PII) may have been compromised. It vowed to continue notifying personnel throughout the investigation should additional PII exposures occur. The OPM will provide 18 months of free credit reporting, credit monitoring, and up to $1 million dollars in identity theft and recovery insurance services to all potentially affected individuals.

The OPM advised all personnel to "monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions." Employees are encouraged to make use of public resources such as AnnualCreditReport.com and the Federal Trade Commission's identity theft website, www.identitytheft.gov. They can also contact TransUnion LLC to request that a fraud alert be placed on their files, which instructs prospective creditors to contact consumers before opening or activating new accounts.

Vigilance, caution required

Federal personnel and private citizens are encouraged to be suspicious of unsolicited phone and email communications from unknown individuals claiming to represent legitimate organizations. Following are additional OPM guidelines:

• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.

• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.

• Do not send sensitive information over the Internet before checking a website's security (for more information, see Protecting Your Privacy, www.us-cert.gov/ncas/tips/ST04-013).

• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.

• Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (www.antiphishing.org).

• Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, www.us-cert.gov/ncas/tips/ST04-007) .

• Take advantage of any anti-phishing features offered by your email client and web browser.

• Take steps to monitor PII, and report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center at www.ic3.gov .

Immunize against future attacks

At the June 2015 Exponential Finance conference, Marc Goodman, global security advisor and author of Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, observed similarities between cyber security and public health best practices and recommended that the security community borrow a page from the Center for Disease Control playbook.

"I'd like to see the security community adopt a more epidemiological approach to cyber security, by immunizing the public against widespread computer viruses and cyber attacks," he said, referring to the scientific study of cause and effect of infectious diseases used to create public policy by identifying risks and establishing guidelines for preventive healthcare.

Goodman cited a 1999 study by the CDC that identified automotive safety as the most significant accomplishment of the 20th century, an achievement tied to the publication in 1965 of Ralph Nader's book, Unsafe at any Speed. About the book, Goodman said, "3.5 thousand people were killed per day worldwide until that book was published, which led to seatbelts, air bags and a range of other improved industry standards."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.