Kokopelli

Small Business Technology & Advice

Why You Need a Secure Office Network

Posted by on Jul 30, 2015

data-key-571156_1280            If you need a bad example of office network security, here it comes. The American parliament supervisory committee heard on Tuesday June 16 what Katherine Archuleta, director of the Office of Personnel Management (OPM), had to say about double theft of personal data which it has suffered- the extent of which remains as of yet undetermined. This is why it is so crucial to hire a trustworthy and competent IT support company to manage your business affairs.

For the president of the commission, MP Chaffetz, it is simple- Katherine Archuleta has “totally and completely failed” to achieve any goal of securing the information systems of OPM. Chaffetz emphasized that the warnings were not missed, including those coming from the Inspector General. “Incident after incident” led to the recommendation to close some systems last year, “and you, you’ve made the conscious decision to keep it open, to let vulnerable information be stolen.” To these warning, Archuleta replied that she did not see a concrete risk at the time. When asked if she could see the risk now, Katherine evaded the question, trying to defend herself by noting the age of the system and ensuring that they were “working to the best of our ability.” Unceremoniously Mulvanet answered, “that’s what frightens me, Mrs. Archuleta, that that’s the best of your ability.”

The problem of Obsolescence

The lack of encryption of certain data, starting with the Social Security numbers of US officials, seems to have particularly crystallized tensions. But Katherine Archuleta, SI OPM did not lend itself to the simple and rapid implementation of encryption. In addition, she said, the access rights obtained by the attackers would have allowed them to override this protection.

But the challenge currently facing the OPM, is broader than this single issue. And remember she took office 18 months ago, and although aware of security problems SI OPM, she presented a strategic modernization plan in February 2014. She said the system information, which she described as considerably dilapidated, is covered by 10 million confirmed intrusion attempts each month. Two have clearly succeeded. The fruit of “decades of neglect” has been recognized by some members of the commission.

This provides a more comprehensive look that Michael R. Esser, assistant inspector general, will find it hard to challenge. Indeed, in his statement, he recognized the progress made in the OPM in IT security since 2012. And to emphasize further the existence of an operational security center operating continuously, the OPM since 2014 also showed some improvement. But the office, however, has “not yet implemented a continuous monitoring program.” So for him, the evolution of the IT governance structure of OPM produced positive results, but “it appears that [the OPM office] continues to be negatively affected by years of governance of decentralized security” including the fact that a “technical infrastructure remains fragmented and thus by design difficult to protect.”

A question of Priorities

However negative for Katherine Archuleta, 21 systems out of 47 were to be audited before receiving authorization in 2014. For 11 of them, the final exam could not be finished in time. But they continued to operate without validation. A point at which the boss’s office responded with another priority: pay retirees their pensions, among others. But for Michael R. Esser, another critical point appears: of the 11 systems concerned that “count by the most critical and sensitive applications of the agency”; two of them “are support systems that are home to several major applications; over 65% of all systems operated by OPM rely on one of these two support systems. ” And if the OPM has deployed new security tools for the inspector general, “all these tools are not used to their full capacity.” Configuration flaws that prevent, for example, the analysis of some servers looking for malicious activity.

In addition, the office is equipped with a system of information management and security events (SIEM) “but at the time of our report Fisma 2014, this tool was collecting data on 80% of major IT systems OPM “. Worse, the office seems unable to really know its computer -“we have also determined that the OPM does not maintain a centralized and updated inventory of all servers and databases in its network.”