Preventing Cyber Breaches

Preventing Cyber Breaches Jacob Malone The digital universe is growing at an astonishing 40% every year. With this kind of growth cyber security is more import today than any time in history. Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access (Rouse, 2016). In 2015 the global cybersecurity market hit $75B and is expected to reach over $170B by 2020. Cyber risk has become an international priority due to fears that cyber-attacks or security failures could lead to a global economy collapse. Cyber crime costs the global economy over US$400 billion per year, according to estimates by the Center for Strategic and International Studies. In 2013, some 3,000 companies in the United States had their systems compromised by criminals, the Center reports (Gabel, Liard, Orzechowski, 2015). These cyber-attacks fall into two main categories: breaches in data security and sabotage. A security breach can be anything from targeting personal data to gaining trade secrets to information pertaining to bids or mergers. On the other hand attackers my send denial of service attacks in order to sabotage the infrastructure in order to gain information. Since the late 1980s there have been several critical cyber-attacks. In 1989 the first computer worm was created by Robert Morris that spread so hastily that it shut down the majority of the internet. Fast forward to 2008 and Heatland Payment Systems suffered suffered from one of the largest credit card information breaches in history. It is estimated that over 130 million records were compromised. Their system was corrupted by malware that was inserted into their network that recorded credit card data as it was received from retailers. Finally, in 2015, China attacked the federal government in which they stole PII for over four million federal employees spanning almost every government agency. Officials said the thieves broke in by using stolen contractor logins and passwords (Nakashima, 2015). Once the attackers gained access to OPMs network they installed a malware package the created a backdoor. From there they were able to escalate their rights and privileges in order to access more of OPMs network. The hackers got away with names, birth dates, home addresses, and Social Security numbers (Castelluccio, 2015, p. 79). Almost a year passed before OPM realized they had a problem that discovered irregular SSL traffic by using a decryption tool that was install a few months earlier. Once discovered they reported the discovery to DHS U.S. Computer Emergency Readiness Team which began the investigation. The discovery of a threat to the background investigation data led to the finding two days later, on April 17, of a risk to the personnel records. US-CERT made the discovery by loading data on the April 15 incident to Einstein, the departments intrusion-detection system. On April 23, US-CERT spotted signs of the Dec. 15 exfiltration in historical netflow data, and OPM decided that a major incident had occurred that required notifying Congress. (Lyngaas, 2015) After a thorough investigation it was undetermined how the hackers acquired the credentials from the contractor KeyPoint Government Solutions. In the wake of the disaster OPM deployed a predictive malware prevention across their network in order to sever the attackers network access. In addition, the agency used an advanced host-based security tool to discover, quarantine and eliminate [the] malware (Lyngaas, 2015). In the end, the Chinese government arrested the hackers that were responsible for the attack. OPMs network was protected by one major Department of Homeland Security (DHS) program called Einstein. The Einstein system, which DHS began deploying in 2005, focuses on the perimeter of federal networks by installing sensors at Web access points and sifting through that data for vulnerabilities (Lyngaas, 2015). This system is only a first line of defense with nothing else to help back it up in case of an intrusion. In order to have avoided this attack or minimize the devastation these programs needed to be accompanied with tools such as masking, redaction, and encryption. OPM could have also used data masking or redaction and encryption techniques to minimize the damage done by the attackers. Data masking obfuscates sensitive data by replacing it with other data typically characters that will meet the requirements of a system designed to test or still work with the masked results. Masking ensures vital parts of personally identifiable information (PII) (Simpson, n.d.). This is commonly used in organizations that work with sensitive data like PII. The sensitive data is masked or redacted in order to protect the information since it passes through so many hands. For example, the first five digits of a social are typically covered or masked is Xs in order to protect the information leaving only the last four digits legible. This process, once completed, is irreversible. Data encryption involves converting and transforming data into scrambled, often unreadable, cipher-text using non-readable mathematical calculations and algorithms. Restoring the message requires a corresponding decryption algorithm and the original encryption key (Simpson, n.d.). This process is used in organizations where data needs to be transferred between networks or computers. During this process the data is converted to non-legible gibberish like ciphertext. The only real way to gain access to this data is to have a special key or password that only authorized users have access to. Encryption Masking Reversible Highest security Trusted with security proofs Realistic data Format-preserving and partial reveals Range and value preserving De-centralized architectures Format-preserving and partial reveals Complex No performance impact on usage Key management Zero need for authentication and authorization and key management Useless without robust authentication and authorization Not as well marketed Data value destruction Not reversible Table 1 Given the scenario of OPMs data breach encryption would not have prevented the breach or loss of data. This is largely due to the fact that the perpetrators had valid user credentials and would be able to access the network just like any other user. The best way to have prevented this attack would have been the timely detection of the intrusion. It can take days or weeks for an intruder to navigate their way around a system and successfully compromise data. During this point if you can identify a breach you can contain the infiltrator before he can accomplish his mission. This could mean the difference between a catastrophic breach and unauthorized user access. Since the attack DHS developed the Continuous Diagnostics and Mitigation (CDM) program. It focuses on endpoint security and identity management. Furthermore, it provides a dashboard to allow network administrators to view vulnerabilities and provides continuous monitoring. Finally, it also has the ability to identify bad sectors of the network once an attacker is through the perimeter. Also, President Obama signed an Executive Order to create the Information Sharing and Analysis Organizations (ISAOs) to buffer between government and industry. The Order presented a framework for enhanced information sharing with the purpose of encouraging private sector companies to work together and work with the federal government to identify cyberthreats (Russo Rishikof, 2016, p. 427). In conclusion, it is highly unlikely that OPM could have completely prevented this attack. However, there are steps they could have taken in order to mitigate the devastation that was caused. Although if encryption techniques were used it would not have protected the information due to the fact the intruders were operating under valid credentials. However, if the data was masked then a limited amount of PII would have been available. Furthermore, if there was a more timely detection of the attackers the damage would have been significantly less. Finally, with the new Executive Order signed by President Obama is a step in the right direction to strengthen cyber security and prevent future attacks. References Castelluccio, M., (2015). The biggest government hack yet. Strategic Finance, 97(8), 79-80 Gabel, D., Liard, B., Orzechowski, D. (2015, July 01). Cyber risk: Why cyber security is important. Retrieved March 07, 2017, from https://www.whitecase.com/publications/insight/cyber-risk-why-cyber-security-important Lyngaas, S. (2015, August 21). Exclusive: The OPM breach details you havent seen. Retrieved March 07, 2017, from https://fcw.com/articles/2015/08/21/opm-breach-timeline.aspx Lyngaas, S. (2015, June 5). Security experts: OPM breach shows Einstein isnt enough. Retrieved March 07, 2017, from https://fcw.com/articles/2015/06/05/opm-einstein.aspx Nakashima, E. (2015, July 09). Hacks of OPM databases compromised 22.1 million people, federal authorities say. Retrieved March 07, 2017, from https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/?utm_term=.976d563a63f2 Rouse, M. (2016, November). What is cybersecurity? Definition from WhatIs.com. Retrieved March 07, 2017, from http://whatis.techtarget.com/definition/cybersecurity Russo, K., Rishikof, H., (2016). Cybersecurity: Executive Orders, Legislation, Cyberattacks, and Hot Topics. Chapman Law Review, 19(2), 427. Simpson, J. (n.d.). Data Masking and Encryption Are Different. Retrieved March 07, 2017, from http://www.iri.com/blog/data-protection/data-masking-and-data-encryption-are-not-the-same-things/