Skip to content

Point of View: Federal Personnel Data Breach

    
Point of View: Federal Personnel Data Breach

Government agencies are in serious danger from cyber threats. While many have a continuous network security program in place, most have spent very little time securing their applications.  We are going to continue to see breaches of government agencies… at least the ones they choose to disclose.

I was offended to see the Obama administration comment, “The administration has never advocated that all intrusions be made public.”  Breach visibility and transparency are critical to getting in front of our security issues.  I thought the Obama administration shared this belief as well.  Yet apparently when it’s their agencies getting hacked, they aren’t quite as quick to push for disclosure.  Time to eat your own dogfood, executive branch.

I’ll just grade the disclosure…  Overall I think was a D/D+.  They came off as belligerent, didn’t acknowledge their fault in the breach, and provided very few details.  How about the people whose sensitive information was in the e-QIP database, including me.  What am I supposed to do now?

  • Tone – F, not at all apologetic for their role in the breach
  • Timeline – C, some details, 3 months is way too long to disclose
  • Scope – D, still investigating, unclear if control was lost
  • Size – B, they seem sure, I am unconvinced
  • Root Cause – F, no details whatsoever about defenses or attacks
  • Discovery – C, seems their IDS detected it
  • Remedy – F, none, not even credit card monitoring?
  • Future: F, no details about what measures are being taken to prevent future breaches
  • Blame: F, immediately blaming China with no public proof. Attribution takes a LONG time.
  • Oddities: F, if the IDS detected the attack, how were they able to complete the exploit?  Something is screwy here.
Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.