In late November, cybersecurity firm UpGuard made a startling disclosure. Critical data belonging to the U.S. Army Intelligence and Security Command (INSCOM), a joint Army and National Security Agency Defense Department command that gathers intelligence for military and political leaders, “leaked onto the public internet, exposing internal data and virtual systems used for classified communications to anyone with an internet connection,” the firm said.
The data was available on a public cloud storage server without a password, open for anyone to download, ZDNet reported. The site noted that “the virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed ‘Red Disk.’” Much of the data is marked “TOP SECRET” and “NOFORN,” indicating it was not to be shared with foreign allies, Chris Vickery, UpGuard’s director of cyber risk research, told McClatchy.
The NSA referred media inquiries to INSCOM, which did not respond to phone and email queries, according to McClatchy.
The disclosure highlights the potential vulnerability of classified government information and the need for stringent cloud security controls, according to UpGuard and other cybersecurity experts. Such a vulnerability could have been easily avoided, they say, if proper security protocols were followed.
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” Dan O’Sullivan, an analyst on UpGuard's cyber risk team, wrote in a blog post.
Cloud Security Must Be Paramount
If agencies are hosting sensitive data in cloud environments, and especially on public clouds, security must be the top priority.
“Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible,” O’Sullivan wrote.
The necessary fix to the cloud storage configuration would have been simple, according to O’Sullivan, who wrote that INSCOM could have just updated the storage bucket’s “permission settings to only allow authorized administrators access.” Given that, he noted, “the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?”
To do that, agencies need “full visibility into the real-time state of all relevant IT systems, as well as possessing the necessary oversight and ability to make changes when necessary,” O’Sullivan wrote.
O’Sullivan noted that some of the data in the cloud storage server had been accessed by a third-party vendor, Invertix, which he says is troubling.
“The transfer of information to an external contractor, such as Invertix, exposes the originating enterprise (in this case, INSCOM) to the consequences of a breach, but without direct oversight of how the data is handled,” he wrote. The Defense Department “must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike,” O’Sullivan added.
Agencies must ensure that if they are working with cloud service providers they still have the ability to control data security. That remains a core responsibility, according to experts.
“Moving services and data to a cloud platform can provide a number of benefits, but you remain responsible for protecting your own data” Tim Erlin, vice president for product management and strategy at security and compliance automation software company Tripwire, told eSecurity Planet. “The cloud isn’t magic and it doesn't absolve organizations from their responsibilities to their customers.”
“This is an attitude that has to change,” Erlin said. “Cloud adoption isn’t slowing, and organizations that mistakenly believe they’re not responsible for securing their own data are leaving consumers and themselves at risk.”
Carl Wright, chief revenue officer of security validation company AttackIQ, told eSecurity Planet that a high number of organizations have been breached recently simply because they failed to configure security controls correctly. Agencies must validate their cloud security controls and protocols, he said.
“This is called a protection failure, and indicates that these organizations are doing little to no testing to validate that existing security controls are working properly,” he said.
“The cost to validate your security controls is comparably infinitesimal compared to the cost of a data breach,” Wright added. “It is a disturbing state of IT and security management when the attackers are routinely able to find protection failures before corporate or government security teams.”