We see many speculations on OPM breach and different guesses how attackers were able to get access to the corporate network. You'll be surprised if we say that it almost doesn't matter. What will change if we find out that the attack started by using SQL Injection, or Malware sent by email or by any other vulnerability? Almost nothing. There are millions of ways how attackers can get access to corporate network, and it's nearly impossible to prevent them all.
What's really important is how we secure our most critical assets. Attackers are looking for data, and data are stored in different enterprise business applications. As for OPM breach, it was likely to be HR system. We don't know what kind of platform is implemented in OPM, but taking into account information about other departments, it is either PeopleSoft or an in-house developed software. There was news about critical vulnerabilities in PeopleSoft recently. Also, at least 5 proven attacks against PeopleSoft systems have been covered in media since 2010.
As mentioned before, PeopleSoft is not the only system that can be used by OPM, it may be SAP or any other. Moreover, an attacker can get the data not from the system itself, but, for example, from backup. So that, OPM's HR system may not have been the direct target of the attack. Again, it doesn't matter. What we really should care about is that enterprise business applications (such as HR, ERP, CRM, SRM, and others) which store and process business-critical data are the most important parts of company's infrastructure and, surprisingly, they are the weakest ones.
Every month SAP and Oracle, the largest business applications vendors, release 30-50 patches for their software. It is difficult for system administrators to keep their systems secure by implementing each and every patch, as it stops business processes. Moreover, ERP systems are highly customized and complex. And, as we know, complexity kills security.
So, what do we have right now?
Some of those attacks include exploitation of vulnerabilities in SAP Systems (such as attack on
Frequently asked questions
What's the next step?
One may be taking next step right now. Hackers attack not only government but commercial sector and steal their data. The number of these breaches will be growing until we realize that the core systems are very weak and start to secure them.What are the lessons for those in HR who are tasked with protecting such data?
They should work closer with CISOs and security department to help them present potential risks to management. It will be very helpful for CISOs, as in most cases they know what to do, but they need a budget for this purpose. So they need to prove that risks are real.Is it prudent to keep sensitive data trapped in systems vulnerable to hacking?
Every system can be hacked, but, unfortunately, complex mission-critical systems can be hacked easily. Of course, we can try to write down all data on papers and store them in a safe, but it's hard to imagine this out-of-date scenario. The only way to solve the problem is to secure our mission-critical systems such as HR, Finance, ERP, CRM, etc.Is there anything can HR/IT professionals can do to thwart these attacks?
Check how secure your mission-critical systems are (public guides such as eas-sec.org, our Security Guides can help you to solve this task), or ask experts to analyze security systems by penetration testing or vulnerability assessment first. Depending on the results, you should implement patches to close vulnerabilities, configure systems properly, and analyze critical events such as security logs, and don't forget to do this regularly. Unfortunately, continuous checks require a lot of work, so it may be an option to implement special tools to do it automatically. If you decide to hire a third-party security company, notice, that it should be experienced in Business application security and know specific problems in this area.