Advertisement

NSA: No zero-days were used in any high profile breaches over last 24 months

Over the last 24 months, the National Security Agency has been involved in incident response and mitigation efforts for “all the high profile incidents you’ve read about in the Washington Post and New York Times,” said Curtis Dukes, deputy national manager of security systems within the NSA’s information assurance directorate.
Christiaan Colen / Flickr

Over the last 24 months, the National Security Agency has been involved in incident response and mitigation efforts for “all the high-profile incidents you’ve read about in the Washington Post and New York Times,” said Curtis Dukes, deputy national manager of security systems within the NSA.

The one common characteristic shared between these incidents, said Dukes, was hackers were using relatively simply techniques — like spear phishing, water-holing and USB drive delivery — rather than zero-day exploits to launch successful attacks.

“In the last 24 months, not one zero-day has been used in these high profile intrusions,” Dukes said Thursday during the Federal Cybersecurity Summit presented by Hewlett Packard Enterprise and produced by Fedscoop.

“The fundamental problem we faced in every one of those incidents was poor cyber hygiene,” Dukes explained, “when you walk in the door to do incident response and the first thing you ask for is ‘Can you give me a diagram of your network?’ And they can’t produce that. Well, we’ve got a problem.”

Advertisement

In each of the mentioned cases, the adversaries were able to take advantage of poorly patched and managed systems, Dukes said.

Though it remains unclear exactly which incidents Dukes spoke to, some of the largest breaches in 2015 and 2016 have included medical insurers Anthem and CareFirst.

Publicly disclosed for the first time in February 2015, the cyberattack on Anthem, one of the U.S.’s largest healthcare insurers, caused 80 million patient records to be compromised. Those digital records contained sensitive information like Social Security numbers, birthdays, addresses, email and other employment information belonging to Anthem customers and employees.

At the time, private sector security researchers believed that the hackers were able to infiltrate Anthem’s networks by using a “sophisticated malicious software program that gave them access to the login credential of an Anthem employee,” the New York Times reported.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts