Data leaks from within the National Security Agency (NSA) have made news before, going back to Edward Snowden in 2013, and continuing more recently with Harold Martin and Reality Winner.  The Shadow Brokers hacker group made news in 2016 for publishing leaks of hacking tools from the NSA. This week brought news of highly sensitive data available online – and unprotected.

Breach Details

As ZDNet reported, a hard drive belonging to a division of the NSA was available online unprotected. The virtual disk image, containing over 100GB of data from an Army intelligence project, belongs to the US Army’s Intelligence and Security Command, a division of both the Army and the NSA.

The breach was discovered in September by UpGuard and reported to the government. Here are details of what they discovered:

  • The data was contained in an Amazon Web Services S3 cloud storage bucket configured for public access. Anyone entering the URL would be able to see the exposed bucket’s contents.
  • The repository contained 47 viewable files and folders in the main repository, three of which were also downloadable.
  • The properties of files revealed in this hard drive contain areas and technical configurations clearly marked as “Top Secret,” as well as the additional intelligence classification of “NOFORN,” a stipulation which means the data is so sensitive it cannot even be shared with foreign allies.
  • Metadata indicates that the box was worked on in some capacity by a now-defunct third-party defense contractor.
  • Also exposed within the data were private keys used for accessing distributed intelligence systems.

Lessons Learned

The lessons from this leak are not new:

  • Protect your cloud storage. This is the latest in a string of leaks attributed to unsecured AWS S3 storage buckets. Access rights should be set to allow only authorized administrators access, but users seem to be ignoring the text that Amazon displays when specifying permissions on the setup dialog: “Do not grant public read access to this bucket (Recommended)”.
  • Include everyone receives security awareness education. Unsecured cloud storage and the publishing of private keys are indications that additional security education is needed. Ensure members of the technical staff are aware of proper procedure, and use any incidents as an opportunity to refresh education.
  • Monitor vendors and partners. UpGuard notes that “third-party vendor risk remains a silent killer for enterprise cyber resilience”. Vetting vendor’s security policies and procedures, monitoring the handling of data, and ensuring there is a coordinated incident response plan are all critical requirements.

Insider Threats, 2018 Security Concerns, GDPR: An Interview with Troy Hunt
How to Manage Third-Party Cyber Risks
Awareness, Education, Prevention: The 3-Factor Approach to Mitigate Insider Threats
Fears of a CISO: Lack of Security Education