OPM, National Guard Breaches Highlight Challenges In Securing Third-Party Contractors

As the dust begins to settle from a series of serious, but unrelated, recent breaches at the government's Office of Personnel Management and the Army National Guard, experts say they hope the events will shine much-needed attention on security challenges around third-party contractors.

The cause for the two breaches that hit the Office of Personnel Management (OPM) this year, with one affecting 4.2 million and the other 21.5 million federal workers, remains unclear, with some reports citing Chinese hacker involvement. However, what was clear was that both incidents were related to relationships with third-party contractors that had experienced earlier breaches -- U.S. Investigation Services and KeyPoint Government Solutions. It is believed that security credentials from those breaches were used to later infiltrate OPM computer systems.

More recently, the Army National Guard was hit by a breach that affected all current members and all former members since 2004. The breach was due to a contract employee inadvertently transferring files to a non-accredited data center.

[Related: The 10 Coolest Security Startups Of 2015 (So Far)]

Security experts said these most recent breaches, combined with other high-profile contactor-related breaches such as Target, highlight the need for more stringent security measures around third-party contractors.

"I don't think this is a terrible surprise that something like this would happen," said Ken Levine, president and CEO of Waltham, Mass.-based vendor Digital Guardian. "I think it certainly shows that as government agencies and even corporations, they have suppliers, they have third parties all the time handling sensitive data, and if they don't have some automated processes in place to control the flow of data then things like this will happen."

While they are technically outside parties, Guy Mordecai, director of product management at San Francisco-based vendor Fortscale, said these threats should be viewed as part of a growing insider threat problem, the large majority of which involve privilege abuse.

"That's a huge problem," Mordecai told CRN. "The key or the primary threat vehicle behind the most famous attacks we've seen in the last couple of years end up relating to the risk of insiders and the problem with misused credentials."

As a result, Mordecai said he is starting to see the topic of insider threats and third-party contractors come up in more conversations with customers, especially around the idea of privilege management.

"In almost every sales call that we have with prospects, they acknowledge right away that they are willing to solve [insider threats], but it is a green field. ... Everyone acknowledges that they have or they have on their work plan an insider threat mitigation program," Mordecai said. "I would say that everyone acknowledges that there is a problem."

David Lucky, product management team leader at Jersey City, N.J.-based solution provider Datapipe, said he also has seen the breaches drive attention to the insider threat challenge, especially within the past 12 months or so.

"We get more inquiries around it," Lucky said. "I would [say these breaches] are certainly a major factor. People read about these breaches and ask how would that work with our solution? Have we developed a strategy that would protect us in this scenario or that scenario that we see in the news?"

Lucky said the challenge dovetails with the growing concerns around cloud security, as cloud sprawl and distributed development create challenges around governance and control.

"I think with third parties some of the same controls are needed to dynamically and quickly address access, and revoking that access when necessary," Lucky said.

To fight the problem, security experts said businesses should make sure their policy, governance and control systems are up to snuff and evaluate options around automation in those areas. Around that, Lucky said companies also should look into expanding two-factor authentication and role-based controls, which provide a "second layer" of control based on what information a person should have access to based on their role in the organization.

Fortscale's Mordecai also suggested companies expand their anomaly detection capabilities. Especially with third-party contractors that have very defined roles in the organization, he said anomaly detection is a good way to pinpoint when a contractor is stepping beyond where it should, such as the HVAC vendor in the Target breach accessing the point-of-sale systems.

Finally, Digital Guardian's Levine suggested implementing more data protection technologies, such as encryption, so that even if an insider threat problem emerges, the data will be protected.

"When we get to the point where we've tried everything and we've emptied our arsenal, then I'll throw up my hands. But, now we're not," Levine said. "We're spending too much money on network protection. It's a part of it, but let's also start getting to the lowest point on the network and start protecting from the inside out."

PUBLISHED JULY 16, 2015