We will write a custom Report on The OPM Security Service specifically for you
301 certified writers online
Type of Attack
According to the official data provided by OPM, the most recent data breach occurred in June 2015 (OPM, n.d.). CyTech, the company that was employed to resolve the problem in OPM, reports that they discovered three live processes with malware inside the corporate OPM’s network. The software could not operate properly, and the major part of the corporate data was stolen (Higgins, 2016). The described attack might be characterized in different ways, depending on the type of classification applied.
Hence, on the one hand, the attack might be classified as an active breach. In other words, it was an attack that was aimed at altering the inner system resources and impacting their operation. This attack compromised the services’ integrity.
According to the attack’s origin, this OPM data breach might be characterized as a distributed attack. Hence, the attack was aimed at affecting the operations performed by several computers. As a result, it might be suggested that the criminals employed botnets to conduct this OPM breach.
The further investigation likewise revealed that the attack was conducted by the so-called “outsider” – an illegitimate user that accessed the system due to the flaws in the information security system (Lyngaas, 2015). Therefore, the attack might be characterized as an outside attack.
It should also be pointed out that the attack was carried out in several stages. Hence, it was initially assumed that there were several attempts to perform a breach of OPM. Meanwhile, further investigation showed that it was one attack – the hackers pivoted the OPM personnel record center in October 2014, and then in December 2014, they siphoned away from the stolen data. Due to its complex character, the intrusion was not revealed until April 2015 (Lyngaas, 2015).
What Was Breached?
The reported attack implied a series of critical consequences – the hackers managed to breach the working capacity of the entire OPM’s system and stole a large scope of the corporate data. Hence, according to the official data provided by OPM, more than twenty-one million of the Social Security Numbers (SSNs) of different individuals were stolen in the course of the attack. Therefore, the attackers gained access to the corporate investigation database that comprised the personal data related to almost twenty million people that applied for an investigation.
Apart from the SSNs, this data comprised such information as the applicants’ residency, occupation, financial records, health, and family (Higgins, 2016). In addition, the hackers gained access to the data related to the so-called “non-applicants” – in other words, those people that, in this or another manner, related to the applicants’ households (OPM, n.d.).
It is essential to note that the described OPM breach was not the first attack that the organization faced. Hence, earlier in the same year, the company reported another leak of corporate data. Then, the hackers stole the data related to more than four million employees. It comprised such information as the employees’ names, dates of birth, addresses, and SSNs (OPM, n.d.). The existence of a precedent likewise concerns as it might signify the OPM’s incapacity to manage the risks and carry out an effective preventative strategy. Meanwhile, the organization reports that the scope of data leaked might not be as large as it was initially expected. Hence, they still have no evidence that such information as annuity rolls and retirement records was impacted in the course of the incident.
Nevertheless, it should be pointed out that the leak of such a large scope of data is highly harmful to the government’s reputation. Hence, the described incident has provoked an active public to resent and made the US residents doubt the OPM’s capacity to protect their personal data.
How Was the Attack Accomplished?
The first signs of the data breach in OPM were fixed in April 2015. Thus, Brendan Saulsbury, the OPM’s contractor, noticed the traces of the illegitimate traffic within the inside networks. The system required confirmation from the McAfee program, even though the company did not have the relevant software installed (Higgins, 2016). Hence, it is important to emphasize that the so-called “personal factor” played an important role in identifying the threat.
The experts report that the hackers used a special file that caused the malware – the so-called “mcutil.dll.” The security radar was initially unable to track this DLL file as it modified as an executive related to McAfee antivirus. Therefore, it was the Cylance security system that managed to spot the virus file (Higgins, 2016).
Further investigation revealed that the attack was accomplished on a phased basis. First of all, the attackers managed to gain access to local networks in 2014. It let them steal the relevant credentials, plant the malware, and create a backdoor for further exfiltration. The described events, presumably, date back to May 2014. Meanwhile, the hackers did not carry the exfiltration out until the summer.
The next stage of the OPM breach occurred in October when the hackers managed to pivot to the organization’s Interior Department. This department is the corporate data center that stores all the records related to the personnel. In December 2014, this data was siphoned away by the hackers (Lyngaas, 2015).
It should be pointed out that there is currently no consensus regarding the way the attackers managed to gain access to the corporate networks and steal the credentials. Some experts believe that they carried the breach out through other credentials that they stole from the OPM’s contractor, Key Point Government Solutions.
Get your first paper with 15% OFF
The organization’s response to the incident was highly prompt. Hence, the day after the breach had been revealed, the hackers were evicted from the systems, and the malware was eradicated. The initial facilitators of the described attack have not been identified yet. In the meantime, some experts assume that the breach might have been initiated by Chinese coordinators (Lyngaas).
Analysis and Feedback
The analysis of the described attack has several critical implications. First and foremost, it should be pointed out that the described breach was well-planned, and there is a strong possibility that it was carried out by professional hackers coordinated by their facilitators rather than by ordinary amateurs. Hence, the attackers performed their breach step by step stealing the essential credentials and gaining further access to the target databases. In addition, they acted carefully enough ensuring that their intrusion was not revealed at once.
Moreover, it should be pointed out that the described attack revealed the existing flaws in the security system of OPM. Most importantly, the security system failed to indicate the malware as soon as it appeared. Secondly, the corporate radars proved their inefficacy in terms of identifying potential threats and hazards.
In addition, it is critical to emphasize the fact that the incident that dates back to June 2015 had a precedent earlier the same year. It means that the organization failed to take the essential measure to prevent the repetition of the data leak and ensure the relevant protection of the corporate data. It is proposed that the company should have strengthen its security system right after the first incident and carried out a detailed investigation in order to determine the most critical system flaws.
In addition, it might have involved external agents and services to perform the relevant audit and receive the necessary recommendations regarding the service improvement. Furthermore, it can be suggested that the organization should have relocated the corporate data to different databases as soon as it realized that the initial store was not protected properly.
Therefore, several conclusions might be drawn upon the analysis of the described incident. First and foremost, the organization’s risk management strategy is not effective enough. Hence, the OPM security service failed to perform a consistent risk analysis and implement the relevant preventative measures after the first incident in 2015. Second, OPM’s contractors are incapable of ensuring the essential level of information security – thus, there is a strong risk that some of the key credentials were initially stolen from the organization’s contractors that allowed the hacker’s to access OPM’s networks.
Finally, the company should consider relocating its data to different stores – the scope of the data stolen is excessively large. Hence, it can be assumed that it was irrational to store such a large amount of corporate data in one database; as far as the investigation revealed, the breached database stored both the information related to employees and that related to non-applicants.
Higgins, K. J. (2016). OPM data breach: a new twist on the discovery of the malware. Web.
Lyngaas, S. (2015). Exclusive: The OPM breach details you haven’t seen. FCW. Web.
OPM. (n.d.). Cybersecurity incidents. Web.