Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The OPM Breach Two Years Later: Four Best Practices for Cyber Operational Excellence

Socrates is alleged to have said, “the secret of change is to focus all of your energy, not on fighting the old, but on building the new.”1 The saying certainly applies to cybersecurity, where change is the only constant. You don’t have to be Socrates to see that two years after the Office of Public Management cyberattack, too many organizations are still focusing on the old and not building the new.

The good news here is that it’s not too late. There are some best practices that all organizations can employ to strive for operational excellence, to better understand and reduce their exposure and risk, and to implement a resilient, long-term cybersecurity strategy.

1. Manage risk proactively

When the OPM breach was discovered in 2015, they also found 15,000 outdated machines and 2,000 pieces of malware unrelated to the data breach. Fewer than 10 infections from the breach’s PlugX malware compromised millions of records. The agency was thrown into reacting to, not anticipating a major incident.

Knowing your network is the foundation of good cybersecurity

Knowing your network is the foundation of good cybersecurity and your best defense against increasingly sophisticated cyberattacks. Having a resilient and comprehensive cybersecurity posture must start with a strong understanding of your organization’s network, nodes, assets, tools and vulnerabilities, accompanied by a robust patch management program to address known but unpatched vulnerabilities.

The insider threat also cannot be ignored. Insiders with legitimate access privileges often can fly under the security radar so that breaches are discovered only long after the fact. There are blind spots in every organization’s network that leave them vulnerable, including employee data which carries immense value to attackers. That’s why it’s important to treat all data—especially on government networks—as carefully as you would classified information, and implement effective access, password and credential management to defend against elevated privileges, unauthorized access and insider threats. You can never truly know where the next threat will come from.

2. Embrace modernization

Organizations cannot make large, impactful changes if they are averse to change in the first place, and this is true in IT security as in other areas of operation.

Security upgrades must go hand in hand with IT modernization

Security upgrades must go hand in hand with IT modernization. As organizations deploy up-to-date IT, they have the perfect opportunity to reduce their attack surface and address rapid changes in the threat landscape. They can enhance security through improved visibility into the network, continuous and comprehensive monitoring, and the patching of vulnerabilities. Legacy systems that are no longer supported with regular patches can be protected by isolating them from the internet-connected network until they can be replaced.

However, at some point, government agencies will run out of resources to maintain these outdated systems, and will need to prioritize change. One way to hold these organizations accountable to high security standards is to implement a baseline approach that outlines which models of operating systems can still be supported across the federal government. And then follow through with cyber funding to improve networks.

Legislation, such as the Modernizing Government Technology (MGT) bill now pending in the Senate, would establish a working capital fund to let agencies pay for technology updates through savings realized from modernization. Replacing the traditional use-it or lose-it approach of annual appropriations would allow agencies to make long-term plans for replacing legacy IT, taking advantage of advances in technology while simultaneously strengthening cybersecurity.

3. Leverage cybersecurity frameworks

Too often, organizations reinvent the wheel when it comes to cybersecurity. This is particularly the case from a governance or process perspective. Yet there is a large volume of cybersecurity research available that has identified many cybersecurity best practices.

The government has produced several cybersecurity frameworks to help agencies and other organizations secure IT systems and sensitive data. Many of these are voluntary for the private sector, but under FISMA (Federal Information Security Modernization Act) and other cybersecurity initiatives, federal agencies are being required to use this guidance. The NIST Cybersecurity Framework is now recommended by the recent Presidential Executive Order on Cybersecurity as a starting point on long-term foundational cybersecurity insights.

4. Invest in a strong workforce

Finally, regardless of the threats facing all organizations, it takes well-trained, well-informed people with creative mindsets to stop the threats. In government, as in other sectors such as oil, gas and utilities, many of the best-trained workers are nearing retirement. This brain drain will make combatting threats even more difficult.

By September 2017, 31 percent of the federal workforce will be eligible to retire

A GAO study found that by September 2017, nearly 600,000 federal workers—31 percent of the workforce—will be eligible to retire. Government agencies will find it difficult to compete with the private sector to counter the exodus. Government salaries usually are not competitive with commercial firms, and private sector jobs often offer more flexibility and creative benefits.

Organizations will have to provide incentives outside of financial compensation for security professionals to enter and remain in the cybersecurity workforce. Benefits such as flexible working conditions, professional development, and public service opportunities should be offered to a younger workforce that values such creative benefit packages.

More information

Build a solid foundation for a long-term cybersecurity strategy

Effective cybersecurity requires that organizations learn from the OPM breach and build a solid foundation for a long-term cybersecurity strategy. By focusing first on basic practices, organizations can make strides in understanding their exposure, reducing risk and building a resilient cybersecurity program.

For more details on these best practices, download our free OPM whitepaper.

1 The quote is attributed to a character named Socrates in Dan Millman’s book Way of the Peaceful Warrior.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training