Ransoming Sensitive Personal Information: Will OPM’s Data Breach Trigger Your Insider Threats?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/ransoming-sensitive-personal-99951/

Perhaps it’s the books I’ve been reading or the television shows I’ve been
watching, but my mind can’t seem to stop linking the recent barrage of
cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean
from 1650 through the 1730s.  Yes, I’m talking about pirates, but not the
Errol Flynn/Johnny Depp-style buccaneer, more the Edward Teach model, the
notorious “Blackbeard.”  One of Blackbeard’s most infamous successes
occurred in Charleston, South Carolina in 1718 when he blockaded Charleston
Harbor and held some of the town’s leading citizens for ransom.  Rather
than demand the typical jewels and money, Blackbeard wanted something else
– he held both the town and its people ransom for £300 of medicine.  After
a circus of errors conspired to delay the ransom payment, Blackbeard
received his medicine and released both the harbor and his prisoners –
minus, of course, much of their finer possessions (they were pirates after
all) – and sailed off into legend.  So what does this jaunt down piracy
lane have to do with cybersecurity and federal contractors?  Simple,
sometimes we don’t know what’s really of value and how that value can be
used.  Case in point – the OPM breach.

Unless you’ve been living in the 18th century you are aware that the
records of approximately 4 million current and former federal employees
were compromised as a result of a recently disclosed network breach at the
Office of Personnel Management (“OPM”).  The full extent of what was stolen
remains unclear (as with most breaches), but it is currently believed that
the attackers gained access to information such as Social Security numbers,
job assignments, performance ratings, training information, and, most
troubling, the information resident on the Standard Form 86 (“SF-86”),
Questionnaire for National Security Positions.  The SF-86 is a 127 page
form contractors and federal employees complete in advance of background
checks for security clearances.  As such, the forms contain a wealth of
sensitive – near-confessional – data, not only about the clearance-seeking
workers, but also about their friends, spouses, family members, and foreign
nationals with whom they interact.  That information, in the hands of
federal investigators, allows for the vetting of the keepers of the
national security kingdom.  But that same information – which may include
financial information, criminal history, psychological records, and
information about past drug use – can take on a decidedly more nefarious
tone in the hands of … well, the people who now have access to it.  But,
unlike credit card numbers or identity theft, the more granular OPM
information on individuals may pose a threat to employers as it could allow
the bad actor to ransom an individual’s sensitive information and his/her
reputation, in exchange for an employer’s trade secret, an open door, or
the simple act of plugging in a thumb drive.

According to DHS’ National Cybersecurity and Communications Integration
Center and the Federal Bureau of Investigation, an individual’s
“vulnerability to blackmail” is a key indicator in identifying if that
individual may pose an internal threat to his/her employer – be it the
Federal Government or a federal contractor.  The risk posed by that
individual can vary, but that variance is largely due to motivation.  For
example, while poor cyber-sanitation can lead to a significant, albeit
inadvertent, disclosure, imagine the harm that could be caused by an
irritated employee or – gulp – an angry, put-upon, member of IT.  Companies
with formalized insider threat programs may be able to respond or address
these somewhat common – but no less difficult – scenarios.  But when
blackmail enters the arena, you get the worst of both worlds: you get an
educated and dedicated bad-actor directing the activity of an unassuming
and seemingly unassailable employee.  At the risk of stating the obvious,
it’s hard to see that coming and that is a “bad thing.”

What’s worse is that this “bad thing” is happening at a “bad time” for the
Government.  Back in November, this blog informed readers about DoD D
5205.16, National Insider Threat Policy and Minimum Standards for Executive
Branch Insider Threat Programs, DoD’s insider-threat program policy that
required components to issue respective insider-threat policies and
implementation plans.  However, according to a June 2015 GAO report, DoD is
dragging its anchor.  According to the investigation’s findings, while the
components assessed have begun implementing the six minimum standards
mandated in Executive Order 13587 to protect classified information and
systems, those same components “have not consistently incorporated all
recommended key elements.”  For example, the report states that only three
of the six components examined have “developed a baseline of normal
activity” for their component.  This is noteworthy because the development
of a baseline is not only a “key element” of an effective insider threat
identification and mitigation program, it is literally its foundation – you
can’t gauge when something looks odd if you don’t know what normal looks
like.  The GAO cited this (fundamental) shortcoming as the result of DoD’s
failure to “issue guidance that identifies recommended actions beyond the
minimum standards that components should take to enhance their
insider-threat programs.”  The GAO report goes on to suggest that DoD’s
efforts to assess its current insider threat programs and that of its
components fail to adequately analyze gaps or incorporate risk assessments
into its programs.  In sum, while DoD struggles to do only what is
minimally required of it, GAO found that “the department will not know
whether its capabilities to address insider threats are adequate and
address statutory requirements.”

Federal contractors are sailing on stormy seas and should not share the
Government’s laissez-faireattitude toward insider threats – especially
now.  If a company has individuals with security clearances, it may be time
to reinforce and remind employees of the risks and obligations accompanying
their clearance.  This conversation, however, should not be accompanied by
saber rattling and pistol pointing; it should be an open discussion
intending to assuage fears and encourage individuals with a “vulnerability
to blackmail” to come forward should they find themselves at the end of a
plank, sword at their back.  The events at OPM serve as a reminder that
there are black flags on the horizon and we may not know the intended
target or plane of attack.  As a result, companies need to ensure all hands
are on deck with a unified mission to repel the invaders – from wherever
they may come.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!