OPM Response to Breach: Block Employee Use of Gmail, Facebook, and other Web Resources. Did they go too far?

Source: Nick Hogg - Clearswift, National Journal, and Federal Times

Keyboard with lock

According to National Journal, “The Office of Personnel Management announced last week that the personal data for 21.5 million people had been stolen. But for national security professionals and cybersecurity experts, the more troubling issue is the theft of 1.1 million fingerprints.” In fact the publication quotes a former NSA official in stating that the pilfering of 1.1 million fingerprints is “probably the biggest counterintelligence threat in my lifetime.”

While the US government, security professionals and media speculate on the intended use of the fingerprints and dangers starting to unfold with the vastly expanding use of biometric data, it was a bit of shock to see one of the first - possibly knee-jerk- reactions by OPM in response to the breach was to block Gmail, Facebook and other personal websites from their employees when newer web security technologies are available to prevent the loss of sensitive and inappropriate data from these common web platforms.

OPM’s immediate clamp down on their employees use of the web was described by the Federal Times accordingly: “OPM employees in the office Thursday discovered they were unable to log on to their personal email accounts or surf social media sites. The apparent change in policy came abruptly, with no prior communication from OPM leaders, employees said.” They went on to share, "Out of caution, and in light of the recent breaches, OPM has recently tightened restrictions on Internet access using web security technology,’ an OPM spokesperson said Thursday, suggesting there might be more to come.”

Data Security and DLP experts would not fault OPM for taking cautionary measures in the heat of the moment, but would encourage them and organizations in their position to explore integrated web security and data loss prevention technologies that balance the need of social collaboration and interaction with the need to protect their critical information. (See White Paper: Collaboration without Compromise). While simply blocking personal webmail and social media sites can reduce the risk of compromise, it can’t be the whole story. Legitimate websites are often compromised to host spyware because they are perceived to be a common and trusted watering hole for your targets, so you need to have a web security policy that treats all sites with suspicion until the content and possible downloads have been deep scanned to prove that it doesn’t contain any malware or DLP threats. Structural sanitization is a key weapon in this case as it can detect and remove active content like macros and scripting inside documents or HTML content reducing the risk of employees unknowingly installing spyware, especially when the attack method is making use of an emergent threat that traditional anti-virus defenses will miss. And once you have these more advanced web security policies and sanitization technologies in place, then why not extend it to personal webmail and social media to enable collaboration.

Here are a few more practical best practices and technologies that can be immediately integrated within a new or existing web security infrastructure for IT security leaders to be seen as an enabler, not strictly the enforcer:
1 Allow access to Web 2.0 sites (Facebook, LinkedIn, Twitter, YouTube, etc.) but only to content and features specified by your policy. For example, allow access to YouTube for training videos but limit access to additional channels. Or review Facebook posts, but turn-off Chat.
Leverage deep content inspection to enable risk-free social media communications – recognize the difference between an innocent Tweet and a potentially damaging one. 
Define time-of-day and time-quota policies for selected websites to limit access. 
Deploy context-aware scanning to detect and prevent users from uploading restricted information and images. 
Enable acceptable usage ‘inform’ pages to highlight individual web usage is being monitored and is subject to company policy.
Combine ‘Content’ and ‘Context’ aware policies to dramatically reduces the opportunity for false positives, providing less resources to manage an efficient data loss prevention strategy.
Take advantage of full HTTPS inspection and analysis to see inside encrypted traffic to prevent malware and outbound sensitive data leaks. 
8 Sanitize messages and documents sent by personal email (Gmail, Yahoo, etc.) to remove ‘hidden’ information.
9 Ensure regulatory compliance is maintained and to prevent the leak of critical information by receiving feeds from existing databases, as well as standard templates and dictionaries of common terms that may be indicative of a communication containing sensitive data.
10 Enhance your web security environment with Adaptive Redaction functionality that allows for content to be dynamically modified to make the content ‘safe’ rather than have to stop & block the collaboration. 

While most traditional web gateways or proxy servers deployed can help with simple accessing, blocking, filtering and web usage administration, they fall short of offering a comprehensive and integrated approach to web security and data loss prevention that are now available. These doesn’t mean a complete rip and replace of an organization’s existing web security infrastructure is required, through ICAP integration a number of deployed solutions can be upgraded with the above adaptive data loss and web security enhancements in an extremely short period of time.
Learn more about web security »