[BreachExchange] US Navy breach highlights third-party cyber risk

Fri Nov 25 09:51:39 EST 2016

http://www.computerweekly.com/news/450403530/US-Navy-breach-highlights-third-party-cyber-risk

A data breach at the US Navy linked to the compromise of a laptop belonging
to an employee of Hewlett Packard Enterprise (HPE) has highlighted the
cyber risk of contractors.

Despite a growing list of cyber breaches that involve the exploitation of
security weaknesses in suppliers to organisations targeted, security
experts say security within supply chains is still widely overlooked.

The US Navy said an investigation revealed that the social security numbers
and names of 134,386 current and former sailors had been accessed by
“unknown individuals”.

The investigation was carried out after HPE notified the Navy on 27 October
2016 that a laptop belonging to an employee supporting a Navy contract had
been compromised.

The US Navy did not say whether the laptop had been hacked or simply lost
and subsequently used to access its IT systems.

“The Navy takes this incident extremely seriously. This is a matter of
trust for our sailors,” said chief of naval personnel vice-admiral Robert
Burke.

“We are in the early stages of investigating and are working quickly to
identify and take care of those affected by this breach,” he said in a
statement <http://www.navy.mil/submit/display.asp?story_id=97820>.

The US Navy said those affected by the breach would be notified by phone,
letter and email, and that it is working to provide further details on what
happened.

The US Navy also said it is “reviewing credit-monitoring service options”
for affected sailors but, at this stage of the investigation, there is “no
evidence to suggest misuse of the information” that was compromised.

“The security and privacy of our clients is a top priority for HPE,” the
company said in a statement.

“This event has been reported to the Navy and because this is an ongoing
investigation, HPE will not be commenting further out of respect for the
privacy of Navy personnel.”

The breach shows that IT departments are under increasing pressure to
support untrusted and unmanaged endpoints of their external partners to
allow access to their internal systems and data, said Jon Fielding,
managing director for Europe at hardware-encrypted USB drive maker Apricorn
<https://www.apricorn.com/>.

“Most will deem direct access too risky, for reasons evidenced by the US
Navy breach, and block access altogether,” he said.

One costly alternative is to equip the third party with their own hardware
and trusted image for the duration of the need for access.

Another option is to provide limited access through remote desktop browser
plug-ins, but Fielding said this can be “user unfriendly”, and requires the
user to be online all of the time.

Apricorn is among the suppliers offering a third option of deploying the
organisation’s trusted and secure image to a USB stick for the third party
to boot into from their own hardware.

“In the case of the US Navy, it could have ensured the HPE employee’s local
C: drive was offline, and turn previously unknown and unmanaged hardware
into a trusted and managed endpoint with all the controls and standard
security protocols of an IT-issued machine,” said Fielding. “This would
protect their data, and the USB stick could be hardware encrypted for
further protection.”
Supplier security linked to past data breaches

Several high-profile data breaches in the past few years have been linked
to failings in the security of suppliers to targeted organisations.

These include the malware-laced phishing emails sent to an air-conditioning
supplier to US retailer Target in 2013, and contractor PA Consulting losing
the details of 84,000 prisoners on an unencrypted memory stick in 2008.

The theft of credit and debit card data at 330 stores owned by Goodwill
Industries International across 19 US states between February 2013 and
August 2014 was linked to malware on the IT systems of a third-party
supplier.

Also in 2014, US retailer Home Depot said it had traced the world’s
second-largest theft of credit card details from its systems back to a
supplier’s compromised username and password.

In June 2011, security giant RSA acknowledged for the first time that
intruders had launched a cyber attack at Lockheed Martin using data stolen
from the company.

And in July 2016, Wendy’s fast-food chain revealed that cyber attackers
used compromised third-party credentials to install malware at 20% of its
US stores to steal customer credit card details.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161125/69d07287/attachment.html>