SOP
I work for a small local government and pretty much everything the GAO recommended is standard operating procedure for us. It isn't rocket surgery people.
More than three years after suffering one of the largest cyber-attacks in US government history, the Office of Personnel Management has yet to adopt dozens of the security measures investigators ordered – including basic stuff like changing passwords. A report issued this week by Government Accountability Office (GAO) …
The smaller the network and fewer the users, the easier it is to implement procedures like this. Not excusing OPM's lack of action, but they are facing orders of magnitude more difficulty implementing and coordinating a project to do this across their whole network than you face in your network - the "server room" of which probably fits in a broom closet.
@Jack: OPM also gathers the basic SF86 information for DoD (military contractor) clearances on behalf of DSS (Defense Security Service).
(I'm sure this is public info but I'm going AC anyway.)
EDIT: I see you commented on that lawsuit-dismissal article from last year, and given your tone I guess you already knew what I said about DoD/DSS (but others might not). Sorry to bother you.
Shame the GOA can't put its own house in order before it prattles on about everybody else's.
Here's a mail to which I'm yet to see any response:
Date: Wed, 10 Oct 2018 16:47:11 +0100 (BST)
From: G.W. Haywood <gwh@jubileegroup.co.uk>
To: chaplainc@gao.gov, youngc1@gao.gov
Subject: Security issue with your DNS records.
Good afternoon from England,
A recent report about a GAO publication (GAO-19-128) prompted me to
look into some aspects of the GAO's own IT infrastructure.
My first investigation took no more than a few minutes and immediately
highlighted a security-related issue.
As you can imagine I am reluctant to send such information in a plain
text email, if you would like to know more please get in touch with me
with the telephone number of a senior administrator for me to call.
Kind regards,
G.W. Haywood, BSc (1st hons), CEng, MIET, MRIN.
In the OPM breach *everyone* who had a clearance, such as Secret, Top Secret, etc. had tons of personal information stolen. So who gets a Secret or Top Secret Clearance? Try all US spies from CIA, NSA, and all of the other 3 letter acronym agencies. The investigations that go on before granting a Secret or above clearance include interviewing neighbors, friends, classmates from way back when, and the list goes on. Of course the obvious info that we use for online banking such as mother's maiden name, your full Social Security number, the town where you were born, etc. are up for sale on the darknet.
I had a Secret Clearance for work in a non-defense but sensitive info agency. I am still getting attacked by credential stuffing attacks, twice last week!. In fact credential stuffing is now one of the top threats in the U.S. Add to that the Equifax breach and multiple Facebook data theft and we are all screwed.
Believe me, if you were one of the OPM victims, the battle to protect what's left of your personal identity is a never ending pain in the butt. We need privacy laws with legal recourse. I recommend that breaches due to having anything less than standard security measures should be treated like medical malpractice lawsuits. Let Facebook and Equifax get hit with $50 billion in damages going to individual victims and companies would immediately change their negligent behaviors.
US gov seems to be quite good at leaking secrets
according to
https://www.nytimes.com/2018/11/16/us/politics/julian-assange-indictment-wikileaks.html
which (eventually) links to https://pacer-documents.s3.amazonaws.com/179/399086/18919235200.pdf
(152kb pdf)
which says stuff like /secret indictment/ /sealed criminal complaint/ /state of Virginia/
and stuff like ~ sealing is necessary because Mr Assange is a sophisticated defendant, with this case attracting high publicity, and he shouldn't know about his secret arrest warrant, so that he can't avoid arrest and extradition ~
secret stuff is hard!