Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The OPM Breach Two Years Later: Why We Need a Marathon

The White House called for a 30-day sprint in response to the devastating data breach at the Office of Personnel Management (OPM), discovered in April 2015. The immediate goal was to bring agencies’ cybersecurity up to an acceptable level. It directed agencies to implement a number of best practices, including scanning systems for known threats, patching critical vulnerabilities, managing privileged access and using multi-factor authentication. But is a sprint enough?

OPM timeline

Two years after the breach, which exposed sensitive records and personal information of 21.5 million past, present and potential federal employees, the OPM Inspector General still found the agency was struggling to meet cybersecurity requirements. OPM is not the only agency facing these challenges. The Government Accountability Office has classified federal cybersecurity as a high-risk program for 20 years.

To address today’s cybersecurity challenges, the government needs a marathon

A sprint is fine if you need to quickly meet a short-term goal, but that’s not how the government or the world should be thinking about risk or security. To address today’s cybersecurity challenges head on, the government needs a marathon. Without a resilient and comprehensive cybersecurity strategy, agencies will struggle to understand their true level of exposure and to reduce their risk.

The changing world

The federal government is frequently criticized for maintaining legacy IT systems. The House Oversight Committee last year called agencies’ reliance on outdated and unsupported technology “a ticking time bomb.” Alongside these legacy systems, agencies are adopting new computing assets like cloud, DevOps/containers and the Internet of Things (IoT) that are disrupting the traditional network perimeter to create a dynamic and boundaryless IT environment.

Alongside legacy systems, agencies are adopting new computing assets

Operational technologies (OT) like SCADA/ICS are still a major part of the government’s critical infrastructure, and while designed for precision and reliability, were not built with security in mind. The rise of industrial IoT means critical devices such as medical devices, transportation systems and ICS have become internet accessible.

This convergence of IT and OT is expanding the already complex attack surface, creating additional security risks and safety concerns for chief information security officers (CISOs) who already struggle to gain visibility into their exposure areas.

Real modernization

Real modernization requires change in how systems are architected

Agencies must modernize IT systems if they are to improve their cybersecurity. But modernization requires more than merely updating or replacing legacy systems with new products and services. Real modernization requires change in how systems are architected. The systems must provide administrators with the visibility to fully monitor all assets—whether on-premises or in the cloud—in as close to real time as possible. Administrators must be able to manage them and to respond quickly to vulnerabilities, threats and attacks. This requires interoperability and the use of automation where possible, so that administrators and security personnel can apply their human intelligence where it is most needed.

Modernization will be a big job for agencies. The GAO reported to the House Oversight Committee last year that agencies spent more than 75 percent of their fiscal 2015 IT budgets on legacy equipment. Some systems still are using COBOL (the Common Business Oriented Language) for computers developed in the late 1950s and early 1960s.

Replacing these antiquated systems would be a step forward in improving cybersecurity. But completing the task of modernization will require a long-term commitment to change and will be realized only if it is prioritized by agencies, legislators and the administration. Initiatives such as President Trump’s recent Executive Order on cybersecurity can help point the way to needed changes and strategic planning. The Modernizing Government Technology bill that has been introduced in Congress would help by establishing a capital fund to help agencies finance new technology. This could jumpstart the modernization process and make it easier for agencies to make long-term plans and to respond quickly to evolving threats and technology.

Ultimately, each agency must establish and pursue its own strategic plans focusing on the long-term goal of manageable and secure information systems. Only then can the government be fully prepared to regain control of their networks and confidently manage cyber risk in today’s modern IT landscape.

More information

For more data about the OPM situation, visit the Tenable OPM web page and download the free whitepaper.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training