We see many speculations on OPM breach and different guesses how attackers were able to get access to the corporate network. You’ll be surprised if we say that it almost doesn’t matter. What will change if we find out that the attack started by using SQL Injection, or Malware sent by email or by any other vulnerability? Almost nothing. There are millions of ways how attackers can get access to corporate network, and it’s nearly impossible to prevent them all.
What’s really important is how we secure our most critical assets. Attackers are looking for data, and data are stored in different enterprise business applications. As for OPM breach, it was likely to be HR system. We don’t know what kind of platform is implemented in OPM, but taking into account information about other departments, it is either PeopleSoft or an in-house developed software. There was news about critical vulnerabilities in PeopleSoft recently. Also, at least 5 proven attacks against PeopleSoft systems have been covered in media since 2010.
As mentioned before, PeopleSoft is not the only system that can be used by OPM, it may be SAP or any other. Moreover, an attacker can get the data not from the system itself, but, for example, from backup. So that, OPM’s HR system may not have been the direct target of the attack. Again, it doesn’t matter. What we really should care about is that enterprise business applications (such as HR, ERP, CRM, SRM, and others) which store and process business-critical data are the most important parts of company’s infrastructure and, surprisingly, they are the weakest ones.
Every month SAP and Oracle, the largest business applications vendors, release 30-50 patches for their software. It is difficult for system administrators to keep their systems secure by implementing each and every patch, as it stops business processes. Moreover, ERP systems are highly customized and complex. And, as we know, complexity kills security.