Breached Network’s Security Is Criticized By Damian Paletta

http://www.wsj.com/articles/breached-networks-security-is-criticized-1435103680

System that failed to prevent millions of sensitive government files from being hacked is largely unable to stop the most sophisticated attacks

The security system in place at the Office of Personnel Management, known as Einstein, is incapable in most cases of stopping previously unknown malware from penetrating government networks. It mostly relies instead on “signatures” from past computer breaches, and then looks for similar digital fingerprints.

“In this particular case, it did not detect it at first because it had not seen it before,” Phyllis Schneck, a top cybersecurity official at the Department of Homeland Security, said in an interview.

Stopping hacks from never-before-seen spyware—called “zero-day exploits”—is a major challenge for both the government and corporations. Private-sector firms such as FireEye Inc. and Palo Alto Networks Inc. sell technology that sometimes detects previously unknown threats, while other systems quickly respond with protective security patches once a new intrusion code appears.

The Office of Personnel Management had been working with outside firms to provide some protection against zero-day threats, but the coverage was spotty and didn’t protect the entire network, people familiar with the matter said. Investigators believe the hackers were able to slip through an unprotected part of OPM’s system. Since the breach, the agency has expanded protection across the network using outside firms.

Another vulnerability of Einstein, which is used by most government agencies, is that it does little to stop people from breaking into government networks using stolen login credentials, current and former U.S. officials said. Recorded Future, a Massachusetts Internet technology company, has found stolen login credentials available online for roughly 50 federal agencies, including the Office of Personnel Management.

OPM Director Katherine Archuleta disclosed Tuesday that the intruders in the attack, which the agency revealed earlier this month, obtained a “compromised” user credential from a government contractor, Keypoint Government Solutions, that they used as part of the breach. Keypoint didn’t respond to a request for comment.

OPM officials said they have been working for more than a year to overhaul their computer security protocol, and the agency’s inspector general has said the agency has made improvements to what was once a decentralized and fragmented system.

Ms. Schneck said DHS is working to expand Einstein’s capability so it will be able to better defend against zero-day exploits. But there is no timeline for this expansion.

Similarly, U.S. agencies are supposed to use something called a “continuous diagnostics and mitigation” program, which hunts for spyware after something has breached a network. But many agencies haven’t fully adopted this program.

Major security weaknesses remain, Michael Esser, the assistant inspector general for audits, said Tuesday, adding that “OPM has not yet implemented a mature continuous monitoring program.”

DHS has spent at least $529 million on Einstein implementation through 2014, the agency said. Einstein covers civilian federal networks, while the Pentagon uses different security systems.

Using new spyware lacking fingerprints to break into a computer network is considered a sophisticated and expensive way to steal data. The technique often is deployed by hackers linked to foreign countries, security experts said. Hackers in China have used such spyware in the past, several U.S. officials said, and they believe the OPM breach was carried out this way.

Intrusions by criminal hackers and foreign countries have breached U.S. government computer networks for more than a decade, including systems controlled by the Navy, Energy Department and many other agencies to steal a wide range of information.

“OPM is just the most recent example of the government’s systemic failure to protect itself,” Sen. John Boozman (R., Ark.) said at a hearing about the breach on Tuesday.

U.S. officials are now scrambling to reinforce their computer security protocols. They are forcing network administrators to use “multifactor” login credentials to make it harder for people to break into databases. They also are looking at expanding encryption of data as well as “masking,” a technique that essentially hides private records, and data fragmentation, which breaks data sets into multiple pieces, making it harder for intruders to steal a cache of information.

U.S. officials said they need to put in place multiple safeguards because hackers have numerous ways to penetrate networks. “The adversaries—they only need one way in,” Richard Spires, the former chief information officer at Department of Homeland Security, told a Senate subcommittee Tuesday.

Scrutiny of Einstein intensified after the OPM breach, and Senate lawmakers are quietly working on a bill that would require the DHS to study its effectiveness at preventing attacks.

The agency has defended Einstein, saying it helped detect the spyware in the OPM breach, but lawmakers have pointed out that Einstein did nothing while hackers extricated millions of sensitive personnel records for more than a year.

“While DHS has developed Einstein…it only detects known intruders, proving that it is completely useless in the latest OPM hacks,” Rep. Jason Chaffetz (R., Utah), the House Oversight and Government Reform Committee chairman, said at a hearing last week.

Einstein’s history has been marked by controversy and delay. The Bush administration rolled out the first version in 2004, but few agencies participated because it was voluntary and simply monitored network traffic, doing little to prevent attacks.

In 2008, the Bush administration required agencies to comply with a new version, dubbed Einstein 2, which for the first time looked to identify malware and intrusions.

As hackers became more aggressive, DHS and the National Security Agency began developing Einstein 3, which aims to block known intruders. But concerns about the NSA’s role and a lack of uniform agency networks bogged the down the process.

A number of federal agencies, including OPM, still haven’t adopted Einstein 3 as of several weeks ago.

“I think Einstein—in whatever iteration—can probably be considered to be outdated technology,” said Gus Coldebella, the former top DHS lawyer. “It’s better than nothing, but unless the bad guys are using something that’s already identified in Einstein, it’s not going to pick it up.”

Despite the criticism, U.S. officials said they are committed to Einstein, and are looking for ways to update or supplement the system with techniques to prevent breaches or detect them more quickly.

“We should take a broad look across the federal government, look at our high-value assets, make sure we were comfortable with the kinds of security we have,” Tony Scott, the White House’s chief information officer, said in an interview.

Write to Damian Paletta at damian.paletta@wsj.com

Comments are closed.