Stung, White House orders rapid cybersecurity fixes
Agencies were told to scan systems and check logs for indicators of threats, patch critical vulnerabilities "without delay," as well as tighten policies and practices for privileged users, including minimizing the number of people in this category and limiting the duration a privileged user can be logged in.
The White House also wants to "dramatically accelerate implementation" of multi-factor authentication, and said intruders "can easily steal or guess" username and passwords. But requiring use of a personal identity verification (the government's name for its smart card), or some other means of multi-factor authentication can "significantly reduce the risk of adversaries."
This action follows the government's announcement earlier this month that personal data of approximately 4 million current and former federal employees was compromised in a breach of the Office of Personnel Management systems.
The security initiative, headed by Tony Scott, the U.S. CIO, was announced late Friday in memo, and included the creation of a "Cybersecurity Sprint Team" to lead a 30-day review of the government's cybersecurity policies, procedures and practices. Agencies will have to report on their progress by the end of this review period.
Alan Paller, director of research at the SANS Institute, said the government plan outlined an "excellent selection of priority actions," but included a flawed monitoring strategy "that will enable massive holes." The biggest problem is self-reported compliance. Agencies can report they are in compliance based on their own understanding or definition of what constitutes compliance, he said.
The government's action stressed a number of basic security measures, and Ken Westin, a senior security analyst at security firm Tripwire, said that "in government, as well as private industry, many overlook basic security controls." He said it's easy to get distracted by shiny new security tools.
"Many times these fundamentals can have a broader impact on an organization's security posture, so it is critical that new programs or tools are implemented on top of a mature set of layered security controls," said Westin.
There is no evidence so far that the stolen employee information was misused, according to OPM. But affected employees are eligible for 18 months of credit monitoring protection, as well as $1 million of identity theft insurance.