SECURITY – sometimes difficult to define

Security

I received a letter from the U.S. Office of Personnel Management in Washington, D.C. recently. The OPM experienced a major security HACK, which they publicly admitted (thank you).  This breach of data  included, as I learned in the letter, details that were voluntarily provided and additional information from background investigations for thousands of security clearances, including mine (past life).

Anyone who has been involved in this aspect of working with the Federal Government knows that the higher the level of clearance, the more information required. This then needs to be verified (either through formal, feet on the street background investigations or the ever popular polygraph ).

polygraph

The bottom line – In my case – I am being provided credit monitoring, identity monitoring, identity theft insurance and identity restoration services, at no charge, for three years. I appreciate the Federal Governments action.

If you think about this breach, it has tremendous negative potential. In addition to the basics- name, social security number, place of birth, etc- they also have details on an individuals immediate family, business relationships, foreign travel, etc and admissions (again depending on the level of clearance) or revelations of intimate details of your personal life. So- this information could be used to identify and attempt to coerce or blackmail (reveal potentially damaging/embarrassing  information) someone in an influential role (industry or government). A pretty serious situation.

Hackers had the ability to penetrate secure, classified  government networks. We have to assume that there were policies/procedures in place and contractors tasked with securing these systems.

Until recently, 9-1-1 Centers (PSAPs), with their traditional analog phone line connectivity, have not been concerned with the type of ‘hacking’ or security issues normally associated with IP (internet protocol) networks. As we all know, this is changing.

Most of us have heard the terms firewall or encryption. In reality, we are going to require the expertise of our vendors and consultants to make sure that our information and system functionality is safe as we move to these IP based networks. There have been critical scenarios described, such as having an ‘event’ in a major city and the 9-1-1 system being totally disabled as part of the attack.

The challenge is, who really understands all of the aspects of security? Not unlike taking your car to be serviced. The mechanic basically has you at a disadvantage. You need to make a decision – should you trust him? We should not move into IP networks with this approach.  The individual, consultant or vendor we might ‘trust’ may candidly not really have an in depth knowledge of this very complex subject.

Make sure that your security advisor is aware of the following efforts:

National Institute of Standards and Technology:

Cybersecurity Framework

CSRC

NICE

Federal Communications Commission (FCC)

CSRIC