OPM Breach Offers Tough Lessons For CIOs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
OPM Breach Offers Tough Lessons For CIOs
Oldest First  |  Newest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Strategist
6/18/2015 | 2:46:39 PM
Commercial encryption products that existed in year 2000 could have prevented the breach
My understanding is that OPM is using commercial databases, including Microsoft SQL Server and Oracle. It is likely that commercial data security products could solve the security issues 8 years ago, when the OPM compliance issues surfaced.

As early as 2000 in US, leading beverage brands and a leading investment banks encrypted sensitive information to prevent unauthorized access by root, database administrators and other users, in commercial databases including Microsoft SQL Server 2000 and Oracle 8i.

It is likely that commercial encryption products that existed in year 2000 could have prevented or significantly limited this large data breach.

Ulf Mattsson, CTO Protegrity
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/18/2015 | 3:39:23 PM
Re: Commercial encryption products that existed in year 2000 could have prevented the breach
Well, the way I heard this one was that OPM was a COBOL shop using 20 year old programs. I cant recall any COBOL crypto libraries, although an OS wrapper may have been useful.

 

Remember, the is the US Government we are talking aobut. If there is no funding for a progaram, it doesnt happen. Congress has to tell these guys to implement.

And I dont think OPM even had a CIO untll 2013.
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Strategist
6/18/2015 | 4:06:45 PM
Re: Commercial encryption products that existed in year 2000 could have prevented the breach
Thank you. Now I better understand why the data was not secured.

Publishing companies in US encrypted data on mainframe/cobol in 2005 to selectively prevent administrators and other users from reading sensitive data.

Ulf Mattsson, CTO Protegrity
kstaron
50%
50%
kstaron,
User Rank: Ninja
6/24/2015 | 10:24:18 AM
The hackers
While I find it unsurprising that China or Russia might hack for government intel, since I doubt the countries are confessing to such things, how do we know it's them? How reliable are the processes we use to determine who hacked us? I ask mainly because I had heard rumors the Sony and North Korea thing at one point looked like an inside job made to look like North Korea. One you're hacked, how much faith can you put in who you think did it?
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/24/2015 | 10:38:05 AM
Re: The hackers
Well, besides the obvious IP tracking used (and correlating it to other previous attacks) there seems to have been certain code fragments and techniques that were used before.

There may be other factors here nobody is talking about (NSA powning Chinese assets?) but considering boththe target and the techniques used, there is a decent chain to link this to nation-states.


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll