OPM hack may finally end overuse of 'privileged' user access

Office of Personnel Management attackers entered the agency's network with a username and password belonging to an external contractor. As a result, security experts are renewing calls for stricter limits on this kind of privileged access. 

The widening data breach at the Office of Personnel Management has focused attention on the longstanding failure by many large organizations to properly protect user accounts that have broad – or privileged – access to critical digital systems and data.

In testimony before lawmakers this week, OPM Director Katherine Archuleta disclosed that in one of the two recently discovered intrusions at the agency, intruders gained access to its systems using a username and password belonging to an external contractor working for the agency.

The attackers then leveraged that foothold to access a critical database and siphon out sensitive personal data belonging to an estimated 4 million current and former federal workers. Their activity remained hidden from view since it was carried out under the guise of someone with legitimate access rights.

The same tactic has been used repeatedly and with stunning success by malicious hackers in numerous attacks recently, most notably the late 2013 Target hack that exposed data on more than 40 million credit and debit cards. The intrusion at health insurer Anthem also is believed to have resulted from attackers gaining access to usernames and passwords belonging to multiple employees, including a network administrator.

"I don’t want to bash government. But there’s absolutely no reason why [the OPM breach] won’t be taken as an opportunity to think and act differently," on the privileged user issue, says Udi Mokady, chief executive officer of CyberArk, a security firm that sells a product to help organizations control access to privileged accounts.

It’s not untypical for an organization to have thousands of privileged accounts across its networks and not even be aware of their existence, Mr. Mokady says. 

In a report to Congress earlier this year, the White House Office of Management and Budget estimated that at the end of 2014, more than 134,280 federal accounts had privileged access to systems with just a username and password. The OPM itself has not revealed how many such accounts it has. But in her testimony to lawmakers this week, Ms. Archuleta noted that 47 of OPMs biggest applications are still protected only by usernames and passwords.

Following the OPM breach disclosure, federal Chief Information Officer Tony Scott announced a 30-day "cybersecurity sprint" for bolstering key security capabilities at federal agencies. The most significant among them is a requirement for all agencies to tighten policies and practices for privileged users.

Mr. Scott’s instructions call on federal agency CIOs to minimize the number of privileged users and to limit functions that can be performed when using such accounts. It also require agencies to limit the duration of time that a privileged user can be logged into an account and to limit the actions that can be taken when someone is logged in from an external location.

Privileged accounts allow systems and network administrators to perform needed tasks like maintaining systems and software, applying security and software updates, and other routine administrative tasks. All computer systems, network equipment, applications, and databases have these special access controls built into them.

Anyone with rights to these accounts has potentially a way to take complete control of the system if they chose to do so. The problem is a well-understood one and numerous incidents over the past have highlighted just how critical it is for organizations to ensure that privileged accounts cannot be abused to steal data or sabotage systems.

One of the most dramatic of them happened in 2008, when Terry Childs, a network administrator at the City of San Francisco, reset passwords to a crucial city network locking city officials out of it for nearly 10 days, over a work related dispute. Over the years, there have been numerous other incidents where privileged access rights have been abused to sabotage systems, snoop on and steal intellectual property and sensitive data from organizations.

Many incidents of privileged access abuse have involved insiders. But as the recent breaches have shown, an external attacker who gains access to credentials with elevated privilege can create the same havoc and remain mostly hidden while doing so.

Security best practices require organizations to protect these accounts and ensure that anyone that has access to them cannot abuse their rights. A slew of tools are available that tightly restrict, monitor, and audit what administrators can and cannot do with their access.

One of the keys to addressing the problem is limiting the number of people who have access to such accounts and also how much access they have, says Morey Haber, platform product manager and vice president at vice president of technology at BeyondTrust, a security firm. The goal should be to enforce the principle of least privilege, where users strictly have the access to do what they are required to do but nothing else. Also key are measures like safe storage of passwords, constant password rotation and proving complete visibility into what a privileged user is doing with that access, Mr. Haber said

Even though the privileged access issue is getting more attention, and federal officials are calling for change, few are holding their breath that any significant change will happen quickly.

Bob Lentz, former chief information security officer at the Department of Defense, says procurement practices at federal agencies continue to be a huge hindrance to improvement.

Moving federal agencies to new security technologies in a quick manner is almost impossible under present conditions because of how long it takes to work through the vetting and purchasing cycle, he says. “Cyber gets treated like buying airplanes and ships and tanks," says Lentz. "It’s ridiculous."