New U.S. 'Secret' Clearance Unit Hires Firm Linked To 2014 Hacks

[HardOCP News]

Remember the company suspected of being the source of the Office of Personnel Management leak, one of the largest breaches of government data in US history? Well, our government just hired them again. What could possibly go wrong?

A U.S. government bureau set up to do "secret" and "top secret" security clearance investigations has turned for help to a private company whose login credentials were used in hack attacks that looted the personal data of 22 million current and former federal employees, U.S. officials said on Friday.

 

[Twisted Kidney]

Somebody knows somebody.

 

[Zarathustra[H]]

Maybe they learned from their mistakes?

I'm sure they didn't just blindly award them the contract without evaluating what changes they have made to their data security in the last 2 years.


The truth - however - is that anything is hackable, if you have an opponent with enough time and resources. Even the best system can be compromized. The best we can hope for with security measures is to make it more difficult or unreasonably timely/expensive for the attacker to do so.

With US governemt personal details probably being valuable to our state sponsored opponents in the world - however - this data is probably best kept off of public networks all together.

Manage a separate dedicated network for this type of data, not physically linked to any network that is connected to the public internet. Don't even share a switch with separate VLAN's, or rely on firewalls or VPN's. Make it physically never plugged into anything that has a connection to the public internet.

That's the best we can do for truly sensitive data.

Even when we do - however - Stuxnet has taught us that it isn't enough, because people are the weak link and carry USB sticks across physical barriers.

So we also have to disable all USB ports, disable all bluetooth or other connectivity, make sure there is no Wifi on these private networks, and even then it's just a matter until someone clever discovers yet another attack vector.

 

[fadedlogic]

Maybe they learned from their mistakes?

I'm sure they didn't just blindly award them the contract without evaluating what changes they have made to their data security in the last 2 years.

.

I wouldn't bank on that assumption. Behind the scenes the government has been pushing corporations hard to sign up to a Cyber-Breach clearing house; many of us are pushing back as a majority are less than pleased with the government's track record on cyber security.

The truth - however - is that anything is hackable, if you have an opponent with enough time and resources. Even the best system can be compromized. The best we can hope for with security measures is to make it more difficult or unreasonably timely/expensive for the attacker to do so.

With US governemt personal details probably being valuable to our state sponsored opponents in the world - however - this data is probably best kept off of public networks all together.

Manage a separate dedicated network for this type of data, not physically linked to any network that is connected to the public internet. Don't even share a switch with separate VLAN's, or rely on firewalls or VPN's. Make it physically never plugged into anything that has a connection to the public internet.

That's the best we can do for truly sensitive data.

Even when we do - however - Stuxnet has taught us that it isn't enough, because people are the weak link and carry USB sticks across physical barriers.

So we also have to disable all USB ports, disable all bluetooth or other connectivity, make sure there is no Wifi on these private networks, and even then it's just a matter until someone clever discovers yet another attack vector.

Great points, each and everyone. However, as with most procedures/initiatives, they are only as good as the efforts to ensure compliance( ahem, Madame Secretary) . The Internet of Things continues to make securing networks even more complex. Source Code for IoT Botnet ‘Mirai’ Released — Krebs on Security .

Thumbdrives are EVIL! We're issued USB "condoms" when traveling for business, they're cheap and whole lot cheaper than paying for a breach.

 

[Zarathustra[H]]

Thumbdrives are EVIL! We're issued USB "condoms" when traveling for business, they're cheap and whole lot cheaper than paying for a breach.

Interesting. How do these work? First I've heard of them

 

[fadedlogic]

Interesting. How do these work? First I've heard of them

SyncStop, USB Condoms - Protect your mobile phone from accidental syncing and malware!

Sorry for the lack of clarity, this is just for plugging in your mobile devices to charge. We don't use thumbdrives, if you must transfer files; they are encrypted and uploaded to cloud server for retrieval. Significantly reduced worries about stolen laptops and mobile devices.

 

[Zarathustra[H]]

SyncStop, USB Condoms - Protect your mobile phone from accidental syncing and malware!

Sorry for the lack of clarity, this is just for plugging in your mobile devices to charge. We don't use thumbdrives, if you must transfer files; they are encrypted and uploaded to cloud server for retrieval. Significantly reduced worries about stolen laptops and mobile devices.

Ahh, so it's just a short USB adapter with the data pins removed, but the power pins intact?

 

[lcpiper]

..........With US governemt personal details probably being valuable to our state sponsored opponents in the world - however - this data is probably best kept off of public networks all together.

Manage a separate dedicated network for this type of data, not physically linked to any network that is connected to the public internet. Don't even share a switch with separate VLAN's, or rely on firewalls or VPN's. Make it physically never plugged into anything that has a connection to the public internet.

That's the best we can do for truly sensitive data.

Even when we do - however - Stuxnet has taught us that it isn't enough, because people are the weak link and carry USB sticks across physical barriers.

So we also have to disable all USB ports, disable all bluetooth or other connectivity, make sure there is no Wifi on these private networks, and even then it's just a matter until someone clever discovers yet another attack vector.

So if I could translate........

Just increase how sensitive this data is to be handled and bump it's classification level up to SECRET, then it can only be processed on SIPRNET and all the protections you suggest and more are already in place

But if I might add, because FBIB's intent seems to be to shorten the time required to perform investigations, I doubt they will do anything that might increase how long they take, including limiting where and how they can introduce information into a more protected network.

 

[Zarathustra[H]]

So if I could translate........

Just increase how sensitive this data is to be handled and bump it's classification level up to SECRET, then it can only be processed on SIPRNET and all the protections you suggest and more are already in place

Fair enough. I've only ever dealt with classified paper, not with classified digital content, so I have no idea how they handle it.

When I was with a defense contractor on a classified SECRET program for the Navy, we had a security person who handled the documentation and drawings we needed and placed them in the secure filing cabinet in the secure area for us. When I had to look at the drawings I just looked at the paper copy there.

Besides very little of my programs were secret. Most of the design wasn't classified at all, except for a few details of frequencies here or there.

 

[lcpiper]

Well Z, everything you said made sense. And that is how the classified military networks are managed for the most part along with strict access control, and a lot more I won't go into here. So if the US decides that the information lost in the OPM hack is indeed sensitive enough to make it's protection more important than it only makes sense to simply upgrades it's classification level and treat it that way. But I don't think they will. To do it, they would need to elevate all the people that work with that information and create facilities for them to work from, etc etc. I am sure you can see what the overhead would cost. I think instead they will try to be a little more careful and "wing it" and hope for the best. They will accept the risk instead of mitigating it. That's my guess.

 

[Zarathustra[H]]

Well Z, everything you said made sense. And that is how the classified military networks are managed for the most part along with strict access control, and a lot more I won't go into here. So if the US decides that the information lost in the OPM hack is indeed sensitive enough to make it's protection more important than it only makes sense to simply upgrades it's classification level and treat it that way. But I don't think they will. To do it, they would need to elevate all the people that work with that information and create facilities for them to work from, etc etc. I am sure you can see what the overhead would cost. I think instead they will try to be a little more careful and "wing it" and hope for the best. They will accept the risk instead of mitigating it. That's my guess.

Yeah, you have to find a compromise between security and usability.

If one were to go to the extremes of having a separate network for personnel data, it would a have to be separate from the networks used for classified secrets, IMHO, otherwise - as you say - everyone who worked in personnel management would need a security clearance. And people are the problem. The more people you put on a secure network, the more likely it is someone will do something stupid.

 

[lostinseganet]

It's not what you know it's who you know. The US government has almost no clue how to fight cyber attacks so they hire how they feel. Also almost everyone in the US (Citizens) who has the skill level they are looking for would NEVER work for " THE MAN"!

EVER!

 

[lcpiper]

It's not what you know it's who you know. The US government has almost no clue how to fight cyber attacks so they hire how they feel. Also almost everyone in the US (Citizens) who has the skill level they are looking for would NEVER work for " THE MAN"!

EVER!

Yep, I work with dozens of them, you are soooo right

There is no organization that endures more cyberattacks than the US Government, it's a daily onslaught all the time. but most of it stays up most of the time. Go to any part and see for yourself.
And that isn't even counting the classified military networks that are so well protected, they can't even be touched unless you somehow capture or breach a facility and try to use their own terminals to access it. Yes, that happens every day.

As for who they hire, maybe your close. But these companies actually were not "hired", they are simply the only four companies that bid on the contract, and all were awarded a piece of the action cause the government is so far behind on the investigation workload that they can't really turn any company down that is qualified to perform the work.

And most of those people you talk about who are "skilled", don't know the first damn thing about working on a classified government network which are a little different.

Do yourself some light reading.

Pentagon’s DC3I Memo Acknowledges Thousands of Cyber Breaches that Compromised DOD Systems and Commits to New Cyber Culture | Holland & Hart's Government Contracts Blog
This is just the Military's Unclassified Network, NIPRNET. This is not the Classified Networks. Always keep that in mind, they are too entirely different animals.

Now this is what I see from the military part of the government, of course the rest of the US government has a wide range of differences and it's true that some are far less secure than others.

 

[fadedlogic]

Ahh, so it's just a short USB adapter with the data pins removed, but the power pins intact?

That's correct. I crazy glued them onto my travel cables so I don't lose them.

 

[lcpiper]

I......... Behind the scenes the government has been pushing corporations hard to sign up to a Cyber-Breach clearing house; many of us are pushing back as a majority are less than pleased with the government's track record on cyber security................

Are you kidding me?

You are talking about signing up under the SAFETY ACT right?

Oh man you better read again on this, it's the best thing for a business since sliced bread and the Assembly Line together.

Under the SAFETY ACT, any business that signs up, sets up their security under the government guidelines, and allows the government to scan their systems, qualifies for complete protection from Law Suits in case of a breach. If you get hacked, no one can sue your company. There is nothing about those guidelines that keep you from taking additional security measures that you feel comfortable with.

I am going through these things on the government networks our company is contracted to support. No doubt, they are a pain in the ass. Once you get used to them and understand them better, you realize they are not so bad.

Let me explain. Let's say there is a check and they want you to turn off unneeded services. All that means is that you need to use some peer review, look at all the services running on any given server, determine which ones you really need, and disable the others. It doesn't mean for you to turn off the ones you need. Many of the checks are very "situational", for instance some checks only apply to machines on a Domain, others to machines that are not part of a Domain, etc.

But over the last few years, more and more companies are being sued for breaches by their customers, the lawyers are playing ambulance chaser again. This program, the Safety Act, it provides great protection for your business from legal threats.

Now personally, I think the SAFETY ACT is a terrible thing. I think, where the government should be protecting the American people from businesses that don't do enough to protect their customers, instead they are giving business a get out of jail free card, and selling the little guy down the river.

They are doing it under the promise that this SAFETY ACT is needed so they can do a better job of protecting everyone and that by protecting businesses they in turn provide protection for the little guy.

I say protect the little guy and when the law suits are expensive enough businesses will step up and do what they are supposed to be doing, because the law suits and fines from the government will be too great a risk to ignore. But that's me, it's a wish, and reality is what we have.

Read up for yourself and make sure I am right, and do what's best for your company.

 

[Schro]

So if the US decides that the information lost in the OPM hack is indeed sensitive enough to make it's protection more important than it only makes sense to simply upgrades it's classification level and treat it that way.

OPM is a civilian organization, so they really can't classify the data any higher than it was already. I would suspect that they do FISMA certification and accreditation of their background check vendors to a risk rating of High.

 

[GaryJohnson]

They never STOPPED using Keypoint. If you want to know why they shouldn't have rehired them and probably why they had leaks, then go look at their glassdoor reviews. https://www.glassdoor.com/Reviews/KeyPoint-Government-Solutions-Reviews-E313894.htm

 

[drakken]

look at the reduction in paper work act, followed by miter the Drexel subsidy mess with the FAA costing Science Applications International Corporation their contracts... they recovered but a buddy of mine was followed around by two guys until he either freaked out and had a heart attack or something bad happened. I was out of the country at the time but it was a closed funeral either way.

Looking at that review, it sounds like an audit of those reviews working from home, would find themselves in major trouble... I know from personal experience that the possibly of class material on a non class drive creates a mess of your life while they look into it. If they are working from home investigating security clearances how is that information not vulnerable to tampering? One it should be on a Government Service or DOD machine not someone laptop they surf the internet on...

Then again maybe they are fake reviews. Some one should really start taking a better look at military and government service intelligence personal over sight. I know when I was active duty USAF there was funny stuff going on but most of that was due to trying to get a handle on the drug cartels trying to undermine and destroy the work ethic of the country. They wanted idiots to work and make nice things then not care where they end up wile working a nine to five dead end job. Ya I can't wait for the next pres but I am dreading getting reactivated as airman solheim again. It was nuts enough the first time, this time every one will know that I was actually a general staff officer the first time around.

 

[fadedlogic]

Are you kidding me?

You are talking about signing up under the SAFETY ACT right?

Oh man you better read again on this, it's the best thing for a business since sliced bread and the Assembly Line together.

Under the SAFETY ACT, any business that signs up, sets up their security under the government guidelines, and allows the government to scan their systems, qualifies for complete protection from Law Suits in case of a breach. If you get hacked, no one can sue your company. There is nothing about those guidelines that keep you from taking additional security measures that you feel comfortable with.

I am going through these things on the government networks our company is contracted to support. No doubt, they are a pain in the ass. Once you get used to them and understand them better, you realize they are not so bad.

Let me explain. Let's say there is a check and they want you to turn off unneeded services. All that means is that you need to use some peer review, look at all the services running on any given server, determine which ones you really need, and disable the others. It doesn't mean for you to turn off the ones you need. Many of the checks are very "situational", for instance some checks only apply to machines on a Domain, others to machines that are not part of a Domain, etc.

But over the last few years, more and more companies are being sued for breaches by their customers, the lawyers are playing ambulance chaser again. This program, the Safety Act, it provides great protection for your business from legal threats.

Now personally, I think the SAFETY ACT is a terrible thing. I think, where the government should be protecting the American people from businesses that don't do enough to protect their customers, instead they are giving business a get out of jail free card, and selling the little guy down the river.

They are doing it under the promise that this SAFETY ACT is needed so they can do a better job of protecting everyone and that by protecting businesses they in turn provide protection for the little guy.

I say protect the little guy and when the law suits are expensive enough businesses will step up and do what they are supposed to be doing, because the law suits and fines from the government will be too great a risk to ignore. But that's me, it's a wish, and reality is what we have.

Read up for yourself and make sure I am right, and do what's best for your company.

The concept is similar to the TRIA(Terrorism Risk Insurance Program); however, unlike random acts that are difficult if not impossible to insure such as terrorism and could quickly drag down insurance companies ability to cover catastrophic losses; much can be done to treat Cyber exposures(eliminate, avoid, or mitigate). The concept of the NCPA(National Cybersecurity Protection Advancement Act) https://homeland.house.gov/files/documents/04-15-15-NCPA-Act-Summary.pdf is a great idea as a concept. Giving ANY entity access to your networks is always concerning, especially a heavy handed unchecked agency. I am concerned with the down side as you point out, a get out of jail free card for companies that are putting others at risk with poor cyber security practices. But a clearinghouse to discuss breaches and other attacks without fear of repercussion would certainly foster conversation among corporations and perhaps lead to stronger security and countermeasures. If anything looks too good be to be true....

I'm on the risk side of the house but work closely with our IT folks given our large cyber exposure. Like most things, I believe private entities can do a much better job of treating risk than the government. One of the hurdles in corporations is the lack of understanding of the exposures at the C-Suite level. It took a presentation revolving around this: https://jenner.com/system/assets/pu...DOCoverageBecomesA_January2015.pdf?1422299806 to grab their attention, in effect they can be PERSONALLY sued for their failure as a company to protect their data and that of their customers. Cyber Insurance has become an expectation of the SEC for any publicly traded company. The insurance marketplace is all over the map with coverage levels, services offered, and what is actually covered; many of which are over-priced and a poor value overall. That being said there are some really solid offerings out there if you look with a great deal of value added services.

I appreciate your insight on this, it pointed out I have some more reading to do(like always). Cheers!

 

[lcpiper]

OPM is a civilian organization, so they really can't classify the data any higher than it was already. I would suspect that they do FISMA certification and accreditation of their background check vendors to a risk rating of High.

Umm, no, OPM is a government organization. Perhaps you should read more about it.
U.S. Office of Personnel Management - www.OPM.gov

OPM works in several broad categories to recruit, retain and honor a world-class workforce for the American people.

• We manage Federal job announcement postings at USAJOBS.gov, and set policy on governmentwide hiring procedures.
• We conduct background investigations for prospective employees and security clearances across government, with hundreds of thousands of cases each year.
• We uphold and defend the merit systems in Federal civil service, making sure that the Federal workforce uses fair practices in all aspects of personnel management.
• We manage pension benefits for retired Federal employees and their families. We also administer health and other insurance programs for Federal employees and retirees.
• We provide training and development programs and other management tools for Federal employees and agencies.
• In many cases, we take the lead in developing, testing and implementing new governmentwide policies that relate to personnel issues.

This is a Government Office that is in essence, the HR Department for the Federal Government.
And civilians can hold security clearances, civilian contractors working for defense contractor companies do, and those companies sometime operate their own classified facilities and are connected to the DoD classified networks.

Like I said earlier, it's not really a question of "can they do it", it's more a question of "is it worth it" to do it.

 

[lcpiper]

The concept is similar to the TRIA(Terrorism Risk Insurance Program); however, unlike random acts that are difficult if not impossible to insure such as terrorism and could quickly drag down insurance companies ability to cover catastrophic losses; much can be done to treat Cyber exposures(eliminate, avoid, or mitigate). The concept of the NCPA(National Cybersecurity Protection Advancement Act) https://homeland.house.gov/files/documents/04-15-15-NCPA-Act-Summary.pdf is a great idea as a concept. Giving ANY entity access to your networks is always concerning, especially a heavy handed unchecked agency. I am concerned with the down side as you point out, a get out of jail free card for companies that are putting others at risk with poor cyber security practices. But a clearinghouse to discuss breaches and other attacks without fear of repercussion would certainly foster conversation among corporations and perhaps lead to stronger security and countermeasures. If anything looks too good be to be true....

I'm on the risk side of the house but work closely with our IT folks given our large cyber exposure. Like most things, I believe private entities can do a much better job of treating risk than the government. One of the hurdles in corporations is the lack of understanding of the exposures at the C-Suite level. It took a presentation revolving around this: https://jenner.com/system/assets/pu...DOCoverageBecomesA_January2015.pdf?1422299806 to grab their attention, in effect they can be PERSONALLY sued for their failure as a company to protect their data and that of their customers. Cyber Insurance has become an expectation of the SEC for any publicly traded company. The insurance marketplace is all over the map with coverage levels, services offered, and what is actually covered; many of which are over-priced and a poor value overall. That being said there are some really solid offerings out there if you look with a great deal of value added services.

I appreciate your insight on this, it pointed out I have some more reading to do(like always). Cheers!

I need to read those two myself.
This is also part of the entire problem with the government trying to actually cross the threshold and engage more closely with IT/CyberSecurity in the business sector. You have different government entities all prompting congress to pass legislation from different viewpoints and sometimes, I should say inevitably, there will be conflicts between them. Too many fingers in the cookie jar.

EDIT: OK, looking into the National Cybersecurity Protection Advancement Act of 2015, I see it has passed the house but it looks like it's tabled in the Senate.

 

[Schro]

Umm, no, OPM is a government organization. Perhaps you should read more about it.
U.S. Office of Personnel Management - www.OPM.gov



This is a Government Office that is in essence, the HR Department for the Federal Government.
And civilians can hold security clearances, civilian contractors working for defense contractor companies do, and those companies sometime operate their own classified facilities and are connected to the DoD classified networks.

Like I said earlier, it's not really a question of "can they do it", it's more a question of "is it worth it" to do it.

Ok, I chose the wrong words when trying to differentiate it - I meant to say that it is a non-military government organization. I'm quite familiar with how everything interacts and contractor companies that will put folks through either the public trust or secret security backgrounds in order to fulfill those contracts.

The other thing that I remember from reading about this breach when it happened (as my information was in the OPM database) is that what was breached was actually OPM's system with the credentials that were assigned to one of the contractor's contractors rather than a breach of the contractor's actual system...

 

[lcpiper]

Ok, I chose the wrong words when trying to differentiate it - I meant to say that it is a non-military government organization. I'm quite familiar with how everything interacts and contractor companies that will put folks through either the public trust or secret security backgrounds in order to fulfill those contracts.

The other thing that I remember from reading about this breach when it happened (as my information was in the OPM database) is that what was breached was actually OPM's system with the credentials that were assigned to one of the contractor's contractors rather than a breach of the contractor's actual system...

Yes it was something along those lines. It wasn't a direct hack of OPM but more like unauthorized access using compromised credentials from an authorized third party.