Tag Archives: USIS

OPM Is Not Alone – 47 Agencies Credentials May Be Compromised

While OPM still garners most of the attention and the number of potentially compromised records continues to rise – that number now could, possibly, be as high as 32 million – 1 in 10 Americans, other reports show that credentials for other government users can be found on Pastebin.  Part of the problem is password reuse between work accounts and other accounts – say Facebook.  Part of the problem is that many agencies still don’t require anything more than a password to log in remotely (see articles here and here).

Federal Computer Weekly is reporting that credentials for employees at 47 agencies, including DHS, were found at sites like Pastebin, a toxic waste dump of all kinds of stolen stuff along with legitimate content.

FCW says that as of early 2015, 12 of those agencies did not require two factor authentication to log in remotely, meaning that if you had that userid and password, you were in.  This includes privileged users – a horrible security faux pas.

While Congress is finally holding some hearings and beating up everyone in sight besides themselves, they still have not approved the deployment of DHS’s Einstein, while at the same time complaining to agency heads about not securing the networks.

Such is the challenge of government.  Getting things done requires an Act of Congress – sometimes literally, sometimes figuratively.

Partly, this is because Congress is often about sound bites and the daily news cycle, so rather than dealing with dull, boring stuff like cybersecurity, they vote on things that will get them 30 seconds of face time on CNN or Fox.  Partly, it is because many Congress people have their staff print out their emails for them.  There are 4 Congress people who have computer science degrees (4/535 = 0.7%).

Another new item – credentials from KeyPoint Government Solutions were used by hackers to obtain access to OPM systems.

KeyPoint, one of two contractors that OPM used to do background checks was hacked last year.  The other contractor, USIS, was also hacked.  OPM decided to cancel (technically, not renew) their $2+ billion contract and they have filed for bankruptcy.  OPM defended not firing KeyPoint as well.  As cost is used as the determining factor for who wins a contract, the American people lose because security is not a consideration.

At the same time, less than half of U.S. companies do vendor security assessments, meaning that a lot of private companies may be in the same boat as OPM and not even know it.


The Challenges Of Staying Safe

USIS, a firm that used to do background checks for the U.S. Government was hacked in 2013.  They did not provide many details of what happened, but the government cancelled $2.5 Billion in contracts and they laid off  2,500 employees.  It also pushed the parent company dangerously close to default on $2 Billion in loans and caused Moody’s to downgrade the company.  This is the potential impact of a security breach. (see here, here and here)

Now some details are coming out (see article).  Apparently, the company uses SAP, a very popular enterprise software product that is both very complex and very powerful.  In USIS’s case, that software was hosted by a third party.

A report that came out this weekend says that it is likely that the attackers compromised that SAP software and that is how they were able to access the USIS data.  The details of how exactly they did this are still unclear, but it should act as a reminder for all businesses:

  • Patching software is very important.  As the complexity of the product grows (like SAP), the odds of bugs goes up and some of them could be fatal.  According to other reports, many SAP users do not patch their software for fear of breaking something.  We don’t know if a missing patch allowed the hackers in at USIS.
  • Evaluate the security of third party providers.  If you outsouce operations, you are still the one that your customers (and the law) will go after.  I doubt their outsource provider had a $2.5 billion dollar insurance policy and even if they did, that would only cover the lost contract, not USIS’s reputational loss.
  • Programs like SAP tend to be customized.  A lot.  Vendors will not provide patches for your customizations.  Planning for how to take care of that is not easy.  How your customizations interact with the vendor’s code is often complex.  In general, internally developed software is tested significantly less rigorously than commercial software since it only has one customer.  Think about how buggy commercial software is.

Hopefully, USIS will pull through this, but there is no way to recover that business unit.  In fact, they may lose other, only marginally related business due to reputational problems.

I will leave you with three questions:

  1. Are you confident that your software patching process covers all of your software and is applied quickly enough?
  2. Do you evaluate the security of third party providers or just the cost.  Overall, less than 25% of companies evaluate vendor security and of the ones that do, many of those are a paper exercise?
  3. How do you test and patch your internally developed software?  I do not mean functional testing (that it works like it is supposed to); I mean testing to make sure that a hacker can’t break in using it.

The lack of an adequate answer to these three questions cost USIS at least $2.5 billion and maybe their company.




Hackers hit Second OPM Background Investigations Contractor

According to Washington Technology, hackers have gone after Keypoint Systems, a contractor for The Office of Personnel Management that does background investigations for security clearances.  If anyone has ever had a Department of Defense or other government security clearance, the information that you provide is extremely detailed.  For example, for the DoD, the SF-86 form can be well over 100 pages when completed.  OPM is notifying almost 50,000 people that their information may have been taken.  May have because they don’t really know.  I assume they don’t know because Keypoint did not have sufficient controls in place to tell what the hackers took.  OPM says thay Keypoint is adding more controls as a result of the breach, but beyond that, they are saying very little.

Curiously, USIS, the contractor that OPM used to use and most famous for having performed Edward Snowden’s background investigation, was hacked this year also and the OPM cancelled their contract, causing them to lay off 3,000 employees.  The fact that OPM is handling these two breaches very differently will no doubt get some attention on Capitol Hill.

It is more than a  little disconcerting that two different contractors who handle security clearance investigations for the government this year were hacked.  It says something about the (lack of) security requirements in the contracts that OPM is issuing for vendors.

They are the government so they can get away with a lot more than you or I can.

While it is fun to beat up the government, it is, unfortunately, like taking advantage of someone who is not very good at what they do.

The lesson to be learned here is that you should review whether or not you are effectively vetting the security of subcontractors and vendors that you use.  Do your contracts have specifics regarding security practices, policies and technology?  If what happened to Keypoint and USIS happened to you, it would likely have a large effect on your business.  USIS had to shut down an entire division.