More details continue to emerge regarding the attack against the United States Office of Personnel Management (OPM). Some of the details aren’t surprising – for instance that the number of affected employees has skyrocketed from 4 to 18 million. It’s not unusual for the scope of victims to increase as an investigation continues. It also comes as no surprise this attack potentially ties to last year’s attack against KeyPoint Government Solutions. Sophisticated attacks are multi-staged and often start by targeting outside vendors and move inward.
Though the number of victims may be shocking, at this point, nothing about this attack or its scope will surprise me for one simple fact – the attackers obtained administrative access to the network. To put it simply, this means all bets are off and the attackers can do anything they want on that network.
In the security world, we have a term we sometimes use to describe administrative compromises: “owned” (also written “0wn3d”). When we say a system or a network is “owned” by an attacker, we mean they have total, unfettered access and control. The attackers can do anything they want and the system or network is at their complete and total mercy.
If the reports are accurate in stating the attackers achieved administrator access of the OPM network and systems, then that network has indeed been “owned.” In that case, it doesn’t matter if records were encrypted or not because administrators, by design, can decrypt encrypted data on most systems. Unfortunately, any attempts to dislodge and eject the attackers from the network may not succeed, as they can use the administrative level of access to build unseen hiding places for themselves within the network. This last point appears to be true in the OPM case, based on reports that the cybercriminals have been present on the network for more than a year.
We may never know the full scope or root cause of this event. But this event is shaping up to be another (painful) lesson in the damage that compromised administrative access to systems and networks can cause. It’s worth remembering the Snowden data breach also purportedly happened because he was able to compromise administrative access to systems.
The lesson for organizations is clear: Administrative access can be dangerous. The call to action is even clearer: Take time today to review and limit who has administrative access to your network. Making this one simple change could be the difference between you controlling your system and a cybercriminal “owning” you.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.