Oh no, not again? Yes, again, seemingly for the umpteenth time (it’s five at least), it's another National Security Agency (NSA) mess, and an apparently avoidable one at that. Some 100 gigabytes of classified files together belonging to the NSA Defense Department Command and the U.S. Army Intelligence and Security Command (INSCOM) somehow showed up online for anyone to see. INSCOM is a joint NSA and Army operation to gather intelligence for U.S. military and high-ranking politicians.
In late September, UpGuard security researcher Chris Vickery discovered an unguarded cache of INSCOM documents sitting on an Amazon Web Services S3 storage server somehow set for public access. Anyone knowing the URL could see the entirety of the cloud storage contents. And, what was left open to the public is no joke -- internal data and virtual systems used for classified communications.
Here’s what UpGuard found:
- A virtual hard drive for internal communications in secure federal IT environments containing classified, top-secret data marked NOFORN, meaning even friendly foreign governments can’t know its contents -- or supposedly can’t.
- Sensitive details on the Distributed Common Ground System - Army (DCGS-A), a battlefield intelligence platform, along with its “Red Disk” cloud auxiliary. (Here’s more on "Red Disk" via ZDNet)
In total, Vickery found 50 files, 47 of which he could see, with the other three downloadable, the latter of which contained highly sensitive national security data. The data bucket also included private keys used for distributed intelligence systems belonging to the defense contractor Invertix working with INSCOM. And let’s not forget the enclosed hashed passwords for hackers to decode.
The discovery prompted harsh words from UpGuard in a blog post: “INSCOM’s web presence provides troubling indications of gaps in their cybersecurity - exemplified by the presence of classified data within this publicly accessible data repository."
But here’s where UpGuard brings down the well-deserved hammer on INSCOM:
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser. Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data.”
Hammer aside for the moment, there are big questions:
How did this happen? Considering the number of times the NSA has left its cyber security gates unguarded, could this one have been avoided?
“Given how simple the immediate solution to such an ill-conceived configuration is — simply updated the S3 bucket’s permission settings to only allow authorized administrators access — the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?”
In other words, foundational security measures would have prevented this latest security embarrassment.
Why wasn’t data this highly sensitive properly secured?
Here’s one of UpGuard’s answers: Sloppy. “This cloud leak was entirely avoidable, likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible.”
And another: Consider third-party suppliers, in this case Invertix, which had accessed and worked on some of the exposed data. “Third-party vendor risk remains a silent killer for enterprise cyber resilience.” Or, transferring information to Infertix left INSCOM vulnerable to the “consequences of a breach, but without direct oversight of how the data is handled.”
Is there a solution? In the general sense, yes, according to UpGuard. Federal stakeholders, the security provider said, “must begin to regain control of their systems, reducing their complexity by gaining full visibility into the complex workings of the government’s cyber presence.”
More pointedly, take care of your business, please. The same failure to properly configure security controls besets enterprises, according to Carl Wright, security provider AttackIQ’s chief revenue officer, who formerly held down the CISO post for the U.S. Marine Corp. “The cost to validate your security controls is comparably infinitesimal compared to the cost of a data breach,” he said. “It is a disturbing state of IT and security management when the attackers are routinely able to find protection failures before corporate or government security teams.”