Less Than Zero (Trust): Learning the Lessons of OPM and WADA
A House Oversight Report Suggests the Zero Trust Model for Government Networks. What does that mean? And will it work?
The news this week is all about leaked medical histories for some of the globe’s most recognized athletes, including tennis greats Venus and Serena Williams and Simone Biles, the stratospheric gymnast who walked away from the recent Rio Olympic Games with 4 gold medals and a bronze.
Hackers using the handle Guccifer 2.0 released sensitive medical information about the three U.S. athletes including allowed exceptions they had received from WADA for needed medications including, in Biles’ case, a drug used to treat Attention Deficit Hyperactivity Disorder (or ADHD). The leak was an apparent effort to discredit the athletes, who all followed proper WADA procedures for obtaining exemptions for needed medications, the agency said.
Details from a recent report by the House Oversight Committee on the 2014 hack of the Office of Personnel Management share some important similarities with what we know about the hack of the World Anti-Doping Agency. Chief among them: the risk to security posed by third parties and contractors.
As detailed in the recently released report on the OPM breach by the House Oversight and Government Reform Committee, it was a compromise of an OPM contractor, KeyPoint, that ultimately gave hackers access to a treasure trove of classified information. Among it: personnel and fingerprint files and background investigations used to grant security clearances. KeyPoint had been hired to carry out background investigations on behalf of OPM.
Similarly, WADA has said it believed that hackers gained access to its Anti-Doping Administration and Management System (or ADAMS) through an account created by the International Olympic Committee for the Rio Games. And, of course, there are plenty of examples of data breaches with links to third party contractors and technology providers, from the attack on Target Stores to a string of attacks against hotel chains linked to vulnerable point of sale systems.
What’s the takeaway? For the authors of the House Oversight Committee report, one lesson is that The Perimeter Has Fallen!!! (To use the language of Hollywood.) That shouldn’t be a surprise. Information security professionals have known for a long time that the notion of an impervious network perimeter with “insiders” and “outsiders” was flawed – that networks were porous, especially in an age of mobile workers and complex links between contractors and external software and services providers. The reality today is that almost any adversary can become an "insider" – whether an employee or contractor given legitimate access or an external attacker that has compromised one of those accounts – and the concept of insider threat protection must broaden to protect against a far wider range of threat actors than in the traditional thinking.
But the recommendations from the House Committee go a step further than the conventional wisdom about “defense in depth” or warnings about porous network borders. Government agencies including OPM should “reprioritize federal information security efforts toward zero trust,” the Committee said, in addition to modernizing federal information technology systems, improving recruitment of talent and finding and empowering agency CIOs who know their stuff.
The “zero trust” idea is an intriguing one. Put forward by the analyst firm Forrester Research, the concept has been gaining attention as The Obama Administration, NIST and others have encouraged a re-think of government cyber security practices.
Zero Trust would entail a realignment of information security throughout the U.S. government to pay far closer attention to the behavior of individuals on the network – regardless of their credentials and right to be there. In other words: “stop trusting packets as if they were people,” to use Forrester’s language.
What would that mean practically? Agencies that adopted a Zero Trust model would eliminate the (artificial) barrier between a trusted network (usually an organization’s internal network) and an untrusted network (the Internet or an external, third party network). In Zero Trust, “all network traffic is untrusted.”
There would be far greater use of encryption and encrypted tunnels to send data into, out of and across protected networks and far greater use of strict access controls pared down to the minimum permissions needed for any particular user and application (“user least privilege”). Attackers like “Fancy Bear” (believed responsible for the attacks on the Democratic National Committee and the Hillary Clinton Campaign, among others) typically compromise and exploit the accounts of domain administrators and other privileged users to move laterally on networks, steal data and maintain a foothold. Least privilege policies reduce the number of possible targets for those types of attacks. The old information security mantra of “trust but verify” is replaced with “verify, but never trust.”
Finally, Zero Trust would demand far greater attention to internal network activity through deeper inspection and logging of data flows. Rather than simply passively monitoring that traffic, Zero Trust environments expect administrators to actively manage it: noticing anomalies in real time and taking necessary action to thwart anomalous events using network analysis and visibility (NAV) tools, among them: network discovery tools for finding and tracking assets, flow data analysis tools that can analyze traffic patterns and user behavior, packet capture and analysis tools that function like a network DVR, network metadata analysis tools to provide streamlined packet analysis, and network forensics tools to assist with incident response and criminal investigations, Forrester said.
Zero Trust isn’t a call to start from scratch. But don’t be fooled: it’s not Baby Aspirin either.
“To rethink the network requires a willingness to set aside preconceived notions about what the network should be and think about what the network could be,” Forrester writes. ““We need to build networks from the inside out: Start with the system resources and data repositories that we need to protect as well as the places where we need to be compliant, and then build a network out from that.”
We’ll see what happens with the recommendations. The federal government is a beast with many heads, and even the House report blurred its clear-eyed technical recommendations with a lot of conspiratorial language about OPM’s actions before, during and after the breach. The net effect is to make incompetence seem calculated.
Given the scope of the changes recommended, OPM and other federal agencies will need Congress in their corner – not punching them in the center of the ring – if they want to tackle the challenges ahead.