Fragen? Antworten! Siehe auch: Alternativlos
House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour.
„Was ist denn das da unter dem Schreibtisch?“ „Das ist der Datenbank-Server“Oh und wie kamen die Angreifer rein?
the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering.
Und das Amt hatte keine Multifaktor-Authentisierung.Wie kam es denn dazu, dass die Zustände da so schlimm sind?
Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint¿"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."
Das wäre eigentlich alles toller Stoff für eine Stand-Up Comedy.Aber wartet, wird noch besser!
A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root.
Tja, so ist das halt, wenn man an die billigsten Anbieter outsourced. Da kommt man dann halt gewöhnlich mittel- oder unmittelbar im Ausland raus. (Danke, Ewald)