The hackers who were able to steal data on millions of people from Office of Personnel Management files apparently got the credentials they needed to get into those files from an earlier breach of KeyPoint Government Solutions, according to OPM officials.
The degree of damage from that breach is still being calculated, but is certainly going to be enormous. The tactic that the hackers used is one that experts warn is becoming more widely used. It is essentially a high-level corollary to identity theft, in which the cyber-criminal gains the credentials needed to unlock the target system or systems.
Download: Free report: Authorized Personnel Only
Administrators usually have access to all the data and services that run on the systems they manage. That means an attacker with an administrator-level credential has the keys to the vault, so to speak. However, Defense Department officials at the Joint Information Environment are trying a different approach: attribute-based access control.
Put simply, ABAC means that a system user has access only to the data and services they need to do their work, as defined by their role within the organization.
"ABAC will enable the Army to dynamically determine access to enterprise resources by evaluating multiple attributes such as security clearance levels, location, organization, sub-organization or type of personnel," said Gary Blohm, director of the Army Information Center. "Full utilization of ABAC will enable the Army and other services to ensure the right people have the right information, at the right time for the right reasons across the DoD enterprise."