This paper is in response to the June 2015 reported data breach of the Office of Personnel Management (OPM), presumably by the Chinese Government. The breach infiltrated millions of employee records including social security numbers and background check information. The motive was thought to be obtaining information for possible recruitment or blackmail. The OPM at the time and to this day has no encryption measures in place. The security has deemed to be lax for years. This paper recommends best practices and encryption to thwart future attacks. It explains symmetric versus asymmetric encryption and provides a recommendation for this agency.
Keywords: (encryption, symmetric, asymmetric)
Organizational breaches are so common now that most people have been compromised at least once. Gone are the days when system security was solely the domain of the IT department. Employees now have the responsibility of becoming security aware and using due diligence when it comes to organizational information.
It was announced in June 2015 that the Office of Personnel Management(OPM), a US Government agency’s data was hacked presumably in an attack that was backed by the Chinese Government (Mazmanian, 2015). Over 4 million personnel files were compromised including social security numbers. It was recommended that the Government update outdated systems and implement encryption to deter any future attacks. This paper supports that position.
Encryption is a way of keeping unauthorized entities from accessing electronic communications. There are two forms of encryption: symmetric and asymmetric (Hall, 2016).
Symmetric encryption uses the same key to lock and unlock the message. The key is called a secret key. This key is applied to the text of the message that alters the content in a specific way. This can be done by shifting the letters by a number of places in the alphabet. A password will provide access to the key. However, using this key over the internet can increase the probability of it being intercepted as anyone who knows the secret key can decrypt the message.
Asymmetric encryption, on the other hand, uses two keys - a pair (public key and secret key). The public key is readily available to anyone who wants to send a message. Whereas, the secret key is private so that only the receiver knows it and thus can decrypt the message.
In order to use asymmetric encryption a digital certificate must be employed. The certificate contains information on the organization as well as the public key. When someone wants to use encrypted communication, a query is sent over the network to the other party and a copy of the certificate is received. Thus, the public key can be extracted from the certificate.
Encryption has its weaknesses. The weaknesses involve the cipher or algorithm. It’s supposed to generate a random string of gibberish but instead produces output with a discernible pattern. This can be intercepted and cracked.
Another issue is when the algorithm generates predictable patterns of characters in response to repetitious, predictable input.
Always use a strong password, especially for encrypted communications. Use a long password as in 16 characters or more. Brute force technology has advanced. Don’t use word derivatives such as “10ve”. Brute force dictionaries can be permutation-driven. If a weak password is used to provide access to the encryption key, then it could render the encryption useless.
Never use the same password twice. Doing so makes your password only as secure as the least secure of the accounts. If one of your accounts is compromised and the password on that account is used on multiple accounts, then all of the accounts are compromised.
Use a password manager. A password manager such as PWSafe and Twofish, securely stores passwords for all of your accounts. Some password managers support the use of cloud storage for encryption databases. If using such a manager, make sure your master password for the database is strong.
A breached system can cause havoc on any organization, however, the data for some industries is a bit more sensitive than others overall. For example, health care and the government are inherently sensitive in terms of data. Yet, many of the employees of health care and government organizations may not be very security aware. Implementing best practices in organizations such as health care (Alanazi et al., 2015) and government is imperative to public privacy.
In response to the attack in June 2015, all of the above practices should be implemented including hardware and software updates. It is important to keep software and hardware updated so that systems are compatible with technological upgrades that could enhance security. Many Government agencies upgrade systems on a specific timeframe such as every three years. The recommendation would be to upgrade systems at least every year and a half as technology updates occur rapidly. This will help ensure the reliability and resilience of the systems used by employees.
When organizations are prone to lax security policies, breaches are systemic. Not having strong systems security in place is similar to leaving the doors unlocked when the building is unoccupied. According to sources, OPM has been lax in security measures for a long time indicating a systemic breach: (“OPM Breach Exposes Agency's Systemic Security Woes.”, 2015).
OPM is not the first government agency to experience a breach. NASA was recently compromised by the use of social engineering to elicit the security credentials of a third party contractor(“NASA Suffers Data Security Breach.”, 2016). The FDIC was hacked on at least 3 occasions. The DNC’s hacking caused confidential emails to be leaked for public consumption. (Martin. 2016).
Whether due to size, bureaucracy, or both it is clear that the US government is not as strong when it comes to security as it could be.
The OPM attack could have been thwarted if encryption was in place. Asymmetric encryption would be the preferred method as the secret key would not be published or shared. In addition, the use of best practices would also help circumvent social engineering or similar leaks.
Alanazi HO, Zaidan AA, Zaidan BB, Kiah MLM, Al-Bakri SH. Meeting the Security Requirements of Electronic Medical Records in the ERA of High-Speed Computing. Journal of Medical Systems 2015;39(1)
Eysenbach, G., MD, Powell, J., MSc, Kuss, O., PHD, & Sa, E., MS. (n.d.). Empirical Studies Assessing the Quality of Health Information for Consumers on the World Wide Web. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.15.2721&rep=rep1&type=pdf
Mazmanian, A. (2016, May 13). OPM's sensitive data on feds still not encrypted. https://fcw.com/articles/2016/05/13/opm-encryption-legacy.aspx
Martin, A. (2016, July 25). This US Government Agency’s Cover-Up May Have Hindered US Cybersecurity. http://dailysignal.com/2016/07/25/this-government-agencys-cover-up-may-have-hindered-us-cybersecurity/
(2016, February 08). NASA Suffers Data Security Breach. https://www.globaldatasentinel.com/the-latest/data-security-news/nasa-suffers-data-security-breach/
OPM Breach Exposes Agency's Systemic Security Woes. (n.d.). http://www.darkreading.com/vulnerabilities---threats/opm-breach-exposes-agencys-systemic-security-woes/d/d-id/1320794
Hall, J. (2016, March 03). Center for Democracy & Technology | Keeping the Internet Open, Innovative and Free. https://cdt.org/insight/issue-brief-a-backdoor-to-encryption-for-government-surveillance/