NSA: No zero-days were used in any high profile breaches over last 24 months
Over the last 24 months, the National Security Agency has been involved in incident response and mitigation efforts for “all the high-profile incidents you’ve read about in the Washington Post and New York Times,” said Curtis Dukes, deputy national manager of security systems within the NSA.
The one common characteristic shared between these incidents, said Dukes, was hackers were using relatively simply techniques — like spear phishing, water-holing and USB drive delivery — rather than zero-day exploits to launch successful attacks.
“In the last 24 months, not one zero-day has been used in these high profile intrusions,” Dukes said Thursday during the Federal Cybersecurity Summit presented by Hewlett Packard Enterprise and produced by Fedscoop.
“The fundamental problem we faced in every one of those incidents was poor cyber hygiene,” Dukes explained, “when you walk in the door to do incident response and the first thing you ask for is ‘Can you give me a diagram of your network?’ And they can’t produce that. Well, we’ve got a problem.”
In each of the mentioned cases, the adversaries were able to take advantage of poorly patched and managed systems, Dukes said.
Though it remains unclear exactly which incidents Dukes spoke to, some of the largest breaches in 2015 and 2016 have included medical insurers Anthem and CareFirst.
Publicly disclosed for the first time in February 2015, the cyberattack on Anthem, one of the U.S.’s largest healthcare insurers, caused 80 million patient records to be compromised. Those digital records contained sensitive information like Social Security numbers, birthdays, addresses, email and other employment information belonging to Anthem customers and employees.
At the time, private sector security researchers believed that the hackers were able to infiltrate Anthem’s networks by using a “sophisticated malicious software program that gave them access to the login credential of an Anthem employee,” the New York Times reported.