In the late 1990s, U.S. Energy Secretary Bill Richardson noted that a historic breach in his department occurred because it had neglected the human factor in its security protocols. This statement alarmed many security experts, since the human factor is the most critical. After all, in 1644 rebels didn’t have to destroy the massive Great Wall of China – the gates were opened by a traitorous general of the Ming Dynasty.
The human factor has an important element: Policy. The policy governing computer access in an organization is critical — who has access to what, and when, and from where should be the cornerstone of a security plan. These policies determine who has access to what intellectual property, and who may access what information remotely, how many characters are required in a password, and a whole host of other elements critical to an organization’s security posture
How important are these polices? Consider the massive, historic breach of the Office of Personnel Management. Millions of individual records regarding security clearance background checks have been obtained by hackers, almost certainly China.
These aren’t just the routine human resources files, but rather the extremely sensitive background check files on millions of employees who have been granted security clearances. These files are a gold mine of information for recruiting Americans to spy for our enemies. As you read this our adversaries are sifting through this massive information collection to create their own internal eHarmony-type website, except instead of matching up dates they are pairing the most promising blackmail materials with vulnerable American security officials who have access to secret information.
What policies were in place to protect these OPM files? One expects such sensitive data is kept within the best software system for maximum protection. Unfortunately, the software OPM uses is older than most Americans. Incredibly, OPM did not even bother to try to encrypt these sensitive files. Consider this: My donation to the American Red Cross is protected by encryption, but my Top Secret background investigation files housed at the OPM are not.
In 2009, the OPM Inspector General noted there was a “lack of leadership, policy and guidance” regarding the agency’s security. OPM appears to have ignored this constructive criticism, doing nothing to prevent such a preventable breach. Even if the policy had been to use the best software, use encryption, and require basic measures for sensitive systems such as two-factor authentication, it appears the breach would still have occurred.
Why? Because, in a mystifying policy decision, OPM allowed people to access its networks remotely from, among other nations, China. Certainly better software could have alerted OPM to the intrusion immediately and perhaps limited the damage, but if your policy is to allow individuals to access your entire system from China then you have already made a decision to leave the gates open to whomever wishes to enter.
In fact, the breach was discovered quite by accident, as a vendor for a cybersecurity company was doing a demonstration of its capabilities when it stumbled upon the attack.
The twin of policy is training. As new threats emerge and become more sophisticated, companies and organizations must implement new training requirements to prevent breaches. For many years, threats to organizations — such as phishing attacks — were broad in nature, the equivalent of soldiers firing blindly across the field at the enemy in the dark with a machine gun. If a thousand attempts to gain access to the targets’ network resulted in three hits, it was still somewhat of a success.
The sophisticated attackers are now using spear phishing attacks. Rather than a machine gun, spear phishers operate more like a sniper. Spear phishers carefully research the individuals they want to gain access through, and target them specifically. This is a significant shift in the cyber threat — the move away from targeting systems to targeting people.
Which is why cybersecurity training is now a priority. Companies can no longer rely on software, hardware and security firewalls. Their employees are the target of the professional hackers, and are the network’s weak link. Routine cybersecurity training paired with a robust review of policy provides the best defense of an organization’s network.