Black Hat 2015

Black Hat 2015: Salted Hash live blog (Day 1)

There was plenty of blame and fault to be shared in the aftermath of the OPM incident

blackhatusa
Credit: Joao Carlos Medau (with modifications)

LAS VEGAS – Black Hat 2015 is underway, and the corporate side of hacking has taken center stage. There are plenty of hot topics this year, but the mess at the OPM is something that is still generating buzz months after the fact.

Last month, House Oversight Committee Chairman Jason Chaffetz disclosed that in addition to the 4.2 million records that were previously reported compromised in June, OPM discovered a second incident during that investigation that impacted 21.5 million people, and 19.5 million of them had applied for security clearance.

A day later, OPM director, Katherine Archuleta resigned from her position. The resignation wasn't unexpected, as calls for her removal had started shortly after the first incident was announced.

However, some experts think that her resignation shouldn't have been the only one, and that others should have been punished as well. John Pescatore, director of the SANS Institute, said it's the sad fact in the federal government is that it's easier to punish a department head than a CIO.

"As Verizon and other breach investigation reports invariably point out, the majority of breaches could have been prevented by basic "security hygiene" - a la the Critical Security Controls. Most of the failures in configuration management, patching and privilege management are IT operations failures that many CIOs allow to continue and at best try to spackle over with 'security.' The CIO at Target was the first fired after their breach - I'd really like to see more focus on the IT operations side at government agencies as Federal CIO Tony Scott's rapid cybersecurity review proceeds."

However, Alan Paller, founder and research director of the SANS Institute, said that while Pescatore was right in part, in order to get fair accountability in this situation and to actually change behavior, there is one other person (in addition to the CIO) who needs to be fired, and two others who need to be demoted.

"The other firing is the security audit director on OPM's Inspector General's staff for auditing the wrong things. This is a critical action. Without it, IGs will continue to drive federal cybersecurity into the toilet. The two people who need demoting and retraining are (1) the current CISO at OPM who appears to lack the technical skills to implement effective defense, discovery, containment and recovery, and (2) the OMB executive who has failed for half a decade to ensure agencies measure the right things."

Do you agree? Disagree? Leave a comment below and share your thoughts.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.