The US Navy is warning more than 130,000 sailors of a data breach, after a laptop belonging to an employee of Navy contractor Hewlett Packard Enterprise Co. was compromised. Navy officials have determined that sensitive information, including the names and social security numbers of both current and former sailors, were accessed by unknown individuals. IT security experts from Alert Logic and Apricorn commented below.
Richard Cassidy, Technical Director EMEA at Alert Logic:
“Unfortunately this case compounds the fact that over 2/3rds of organisations breached discover so via a 3rd party. It’s very disappointing when a 3rd party compromise leads to a data loss at the expense of another business or organisation, however, it highlights the stark reality of how complex the challenge remains with respect to security challenges. This particular data loss represents a very serious breach, specifically for the individual’s data compromised and the resultant risk this poses to each of them.
“We are starting to see a shift to a world where “trust modelling” will become critically important and data assets shared between parties will be based on trust value and trust chains. This is to say, that critical data will flow between less users/systems or between systems/users where trust values are high, given exceptional data protection mechanisms and historical evidence of consistent security enablement.
“In this particular breach, questions have to be raised as to why such key data was resident on a mobile device in the first instance and more importantly how was the data accessed in today’s age of exceptional encryption and protection functions within the OS and applications housing that data. It certainly raises the point to all organisations on ensuring an effective data at rest encryption and protection framework and considering where critical assets should reside or can be accessed from; especially when dealing with military data.”
Jon Fielding, Managing Director EMEA at Apricorn:
“The US Navy breach simply highlights how IT departments are now under increasing pressure to support the untrusted and unmanaged end points of their external partners to allow access to their internal systems and data.
Most will deem direct access to be too risky, for reasons evidenced here, and block access altogether. Instead they equip the 3rd party with their own hardware and trusted image for the duration of the need for access. This however is costly. Others will provide limited access through remote desktop browser plug ins which can be user unfriendly and requires the user to beonline all of the time.
IT departments should be considering the “PC on a stick” concept to deploy their trusted and secure image to as USB stick for the 3rd party to boot into from their own hardware. In the case of the US Navy they could then have ensured the HP employee’s local c: drive was off line, and turn previously unknown and unmanaged hardware into a trusted and managed end point with all the controls and standard security protocols of an IT issued machine to protect their data. Further, the USB stick could be hardware encrypted for further protection.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.