In June, the United States Office of Personal Management (OPM) announced that it was the target of a hack. It was originally estimated that 4 million individuals were affected, in July that estimate was revised upwards to 21.5 million. These records included personal information like addresses dates and places of birth as well as 1.1 million compromised fingerprint records.
Once the severity of this breach was revealed Federal CIO Tony Scott launched a government-wide Cybersecurity Sprint on June 12, giving agencies 30 days to shore up their systems. Agencies had to report to OMB and DHS if they were unable to accomplish any of the agreed tasks they were given within the 30-day window. Agencies also had to report on their progress at the end of the sprint, as well as any challenges encountered.
An audit report back in February 2015 had already identified a lack of two factor authentication with privileged accounts as a potential weakness in the security posture of government agencies. This area is highlighted as one of the main reasons perpetrators were able to get useable information out of OPM's systems, using basic credentials stolen from third party contractors at KeyPoint Government Solutions.
Two factor authentication will certainly reduce the surface area for attack or the chance of credentials being compromised if they fall into the wrong hands, but it’s also just as important to ensure that privileged accounts only have access to the right systems and data. Another concern here is the involvement of a third party contractor with access to government systems and personal data. How closely was that contractor activity being monitored, was their access to these systems tightly controlled enough or monitored and audited? Permanent access to information as sensitive as this must be on a “need to login” basis only.
If you’re managing access to your data from third parties or contractors why not consider a solution that lets you control privileged user sessions by approving access, applying a time-based policy or even automatically providing a one-time password for single use.