Message for the DoD: Security, It's Not just for Operations
Data comes in all forms and sizes. The composition of this also varies greatly dependent on the data owner. One actionable items regardless of the data composition is security. The data requires some form of security to be applied to it to keep unauthorized parties to access it. This difficult lesson has been learned by many organizations over the years with data compromises of differing magnitudes and costs to them. One of the latest involved the Department of Defense (DoD). The DoD happened to leave 1.8B social media and forum posts written by users from across the planet on a server. Normally, this would not be a notable occurrence. These posts however were placed on three Amazon S3 servers. These databases were owned by the US Central Command (CENTCOM) and the US Pacific Command (PACOM).
The issue is the data was not secured or protected. These could have been access by virtually anyone. When the servers were acquired by the DoD, the persons in charge for the Amazon S3 servers did not configure them correctly. This issue is not new, as this oversight has occurred several times to high level organizations within the last 12 months. The researcher who did find this lack of security did act responsibly and contacted the DoD. The Amazon services and databases were appropriately secured soon thereafter.
When working with the public's data, there is a certain level of responsibility and accountability. With the resources available at the DoD, this should not have happened. Regardless this oversight was corrected. The lessons to pull from this episode are many, which may be applied to other's workplaces. The person with the appropriate level of knowledge and skills on topic should be doing the work. Simply pulling someone without the requisite level of skill is not a good idea. Once implemented, test the work done to ensure it actually works. Without this, the hope is the work was done correctly.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.