- A virtual hard drive for internal communications in secure federal IT environments containing classified, top-secret data marked NOFORN, meaning even friendly foreign governments can’t know its contents -- or supposedly can’t.
- Sensitive details on the Distributed Common Ground System - Army (DCGS-A), a battlefield intelligence platform, along with its “Red Disk” cloud auxiliary. (Here’s more on "Red Disk" via ZDNet)
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser. Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data.”Hammer aside for the moment, there are big questions: How did this happen? Considering the number of times the NSA has left its cyber security gates unguarded, could this one have been avoided?“Given how simple the immediate solution to such an ill-conceived configuration is — simply updated the S3 bucket’s permission settings to only allow authorized administrators access — the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?”In other words, foundational security measures would have prevented this latest security embarrassment.Why wasn’t data this highly sensitive properly secured?Here’s one of UpGuard’s answers: Sloppy. “This cloud leak was entirely avoidable, likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible.”And another: Consider third-party suppliers, in this case Invertix, which had accessed and worked on some of the exposed data. “Third-party vendor risk remains a silent killer for enterprise cyber resilience.” Or, transferring information to Infertix left INSCOM vulnerable to the “consequences of a breach, but without direct oversight of how the data is handled.”Is there a solution? In the general sense, yes, according to UpGuard. Federal stakeholders, the security provider said, “must begin to regain control of their systems, reducing their complexity by gaining full visibility into the complex workings of the government’s cyber presence.”More pointedly, take care of your business, please. The same failure to properly configure security controls besets enterprises, according to Carl Wright, security provider AttackIQ’s chief revenue officer, who formerly held down the CISO post for the U.S. Marine Corp. “The cost to validate your security controls is comparably infinitesimal compared to the cost of a data breach,” he said. “It is a disturbing state of IT and security management when the attackers are routinely able to find protection failures before corporate or government security teams.”