<div dir="ltr"><a href="http://www.computerweekly.com/news/450403530/US-Navy-breach-highlights-third-party-cyber-risk">http://www.computerweekly.com/news/450403530/US-Navy-breach-highlights-third-party-cyber-risk</a><br><br>A data breach at the US Navy linked to the compromise of a laptop
belonging to an employee of Hewlett Packard Enterprise (HPE) has
highlighted the cyber risk of contractors.<br><p>Despite a growing list of cyber breaches that involve the exploitation of security weaknesses in suppliers to organisations targeted, security experts say security within supply chains is still widely overlooked.</p>
<p>The US Navy said an investigation revealed that the social security
numbers and names of 134,386 current and former sailors had been
accessed by “unknown individuals”.</p>
<p>The investigation was carried out after HPE notified the Navy on 27
October 2016 that a laptop belonging to an employee supporting a Navy
contract had been compromised.</p>
<p>The US Navy did not say whether the laptop had been hacked or simply lost and subsequently used to access its IT systems.</p>
<p>“The Navy takes this incident extremely seriously. This is a matter
of trust for our sailors,” said chief of naval personnel vice-admiral
Robert Burke.</p>
<p>“We are in the early stages of investigating and are working quickly
to identify and take care of those affected by this breach,” he said in a
<a href="http://www.navy.mil/submit/display.asp?story_id=97820">statement</a>.</p>
<p>The US Navy said those affected by the breach would be notified by
phone, letter and email, and that it is working to provide further
details on what happened.</p>
<p>The US Navy also said it is “reviewing credit-monitoring service
options” for affected sailors but, at this stage of the investigation,
there is “no evidence to suggest misuse of the information” that was
compromised.</p>
<p>“The security and privacy of our clients is a top priority for HPE,” the company <span>said in a statement.</span></p>
<p>“This event has been reported to the Navy and because this is an
ongoing investigation, HPE will not be commenting further out of respect
for the privacy of Navy personnel.”</p>
<p>The breach shows that IT departments are under increasing pressure to
support untrusted and unmanaged endpoints of their external partners to
allow access to their internal systems and data, said Jon Fielding,
managing director for Europe at hardware-encrypted USB drive maker <a href="https://www.apricorn.com/">Apricorn</a>.</p>
<p>“Most will deem direct access too risky, for reasons evidenced by the US Navy breach, and block access altogether,” he said.</p>
<p>One costly alternative is to equip the third party with their own
hardware and trusted image for the duration of the need for access.</p>
<p>Another option is to provide limited access through remote desktop
browser plug-ins, but Fielding said this can be “user unfriendly”, and
requires the user to be online all of the time.</p>
<p>Apricorn is among the suppliers offering a third option of deploying
the organisation’s trusted and secure image to a USB stick for the third
party to boot into from their own hardware.</p>
<p>“In the case of the US Navy, it could have ensured the HPE employee’s
local C: drive was offline, and turn previously unknown and unmanaged
hardware into a trusted and managed endpoint with all the controls and
standard security protocols of an IT-issued machine,” said Fielding.
“This would protect their data, and the USB stick could be hardware
encrypted for further protection.”</p>
<h3 class="gmail-section-title">Supplier security linked to past data breaches</h3>
<p>Several high-profile data breaches in the past few years have been
linked to failings in the security of suppliers to targeted
organisations.</p>
<p>These include the malware-laced phishing emails sent to an air-conditioning supplier to US retailer Target in 2013, and contractor PA Consulting losing the details of 84,000 prisoners on an unencrypted memory stick in 2008.</p>
<p>The theft of credit and debit card data at 330 stores owned by Goodwill Industries International across 19 US states between February 2013 and August 2014 was linked to malware on the IT systems of a third-party supplier.</p>
<p>Also in 2014, US retailer Home Depot said
it had traced the world’s second-largest theft of credit card details
from its systems back to a supplier’s compromised username and password.</p>
<p>In June 2011, security giant RSA acknowledged for the first time that intruders had launched a cyber attack at Lockheed Martin using data stolen from the company.</p>
<p>And in July 2016, Wendy’s fast-food chain revealed that cyber attackers used compromised third-party credentials to install malware at 20% of its US stores to steal customer credit card details. <br></p><br></div>