RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Content-Type:
text/plain; charset=UTF-8
Sender:
Records Management Program <[log in to unmask]>
Subject:
Re: Why the “biggest government hack ever” got past the feds
From:
Larry Medina <[log in to unmask]>
Date:
Tue, 16 Jun 2015 13:44:13 -0700
In-Reply-To:
<[log in to unmask]>
MIME-Version:
1.0
Reply-To:
Records Management Program <[log in to unmask]>
Parts/Attachments:
text/plain (69 lines) 
On Mon, Jun 15, 2015 at 3:55 PM, PeterK <[log in to unmask]> wrote:

> The IG noted that OPM wasn't even sure of what it had on its network. "OPM
> does not maintain a comprehensive inventory of servers, databases, and
> network devices. In addition, we are unable to independently attest that
> OPM has a mature vulnerability scanning program." There was no multi-factor
> authentication for users accessing systems from outside OPM. So if
> someone's credentials were stolen, an attacker could use them from outside
> to get access to just about anything.
>

As one of the "impacted parties" by this massive kerfuffle, I can tell you
the notification systems is no better than the initial 'protection'.

All we've been told is:

"...you've been identified as a potentially impacted party, but we are
UNABLE TO TELL YOU WHAT ASPECTS of your information MAY HAVE BEEN
EXPOSED..."

The comment above about a lack of multi-factor authentication was one of
the first issues I raised when we were notified there was "mote to come"
about the breach.... and rest assured, NOTHING HAS BEEN DONE to apply any
authentication after the fact either.

But the part that CHAPS MY HIDE?!?!?!!?  The volume of information that has
been maintained on the active servers and there being NO EXCUSES as to WHY
that volume of information was maintained on active servers, with nothing
moved off-line or near-line to other servers.

All of us in the Agency I work with are required to submit an extensive
amount of information when we apply for an INITIAL Federal Credential ("Fed
Cred"), and depending on your security level, the amount of information
provided gets MUCH MORE DETAILED regarding your family members, marital
status, financial and work history, etc.   All Agencies have differing
levels of information required... but none of them stop with basic info...
they ALL require you to "peel the onion" pretty far back.

BUT... that said, EVERY Agency sends their employees through
re-investigations periodically (ours is every 5 years) and the OPM had
stored EVERY SET OF DATA from the initial investigation up to the current
info on ALL EMPLOYEES and CONTRACTORS on the same active use servers !!!!

The only info they need when re-evaluating or looking for data on employees
is the MOST CURRENT data... So, WHY would they go through the expense of
maintaining ALL of that data on active servers?  Retired, deceased, no
longer Federally employed, past information was ALL exposed.

And it was done at OUR expense, as will the 18 months of credit monitoring
services being offered. And this isn't the 'lower level' package of
protection...  https://www.csid.com/OPM/ ...which includes $1,000,000 of
Identity Theft Insurance.

the OPM (Office of Purloined Materials) will be licking their wounds for
along time over this one.

-- 
Larry
[log in to unmask]



*----Lawrence J. MedinaDanville, CARIM Professional since 1972*

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2