Emails Exposed in DoD Azure Attack
A gap in a US military server operated by Microsoft left more than a terabyte of data exposed to the internet. This comes only one month after Microsoft 365 was awarded higher level government security accreditations.
The openly accessible server was part of an internal mailbox system hosted on Azure’s Government cloud and used by the Department of Defence (DoD) various reasons, including the processing of security clearance paperwork.
The exposed public-facing server was discovered at the end of February and wasn’t password protected, allowing whoever had its IP address and a browser to access the data freely.
Bloomberg spoke to individuals at the DoD and Microsoft; the Pentagons cyber command and Microsoft are investigating the incident. The server was reportedly accessible to the internet since February 8th before being secured and removed from public access. So far in the investigation, there’s no sign malicious parties have accessed the data, DoD revealed.
The blame game
The Pentagon and Microsoft have blamed each other for the security risk. But there’s a good chance the fault lies within the government for misconfiguring its IT environment, not Microsoft.
Further demonstrating the need for organisations and businesses to properly protect their data through various means. Microsoft’s solutions are indeed secure, but organisations have the responsibility to set up their internal systems properly.
DoD Data Audit
An requirements published (PDF linked) in early February found that every branch needed to improve to evaluate commercial cloud service offerings properly.
The audit report goes on to claim that authorising officials “did not review all required documentation to consider the risks to their systems”, nor did they consider system risks that were identified in supporting documentation, as all five authorising officials believed the government acquisition processes were sufficient to mitigate risk to their respective systems.
The government has contracts with Amazon Web Services, Google Cloud, Oracle, and Microsoft for its cloud programme. The IG report said it examined five cloud systems from three authorised companies as part of the review. The latest Microsoft system to get approval – Office 365 Government Secret Cloud – is cleared for operation at impact level 6, the highest classification level allowed in the commercial cloud. In comparison, other vendor systems approved for DoD cloud use only reach IL5.
With the DoD and Microsoft now apparently trying to blame each other for an egregious security failure, the window is open for those other three to swoop in and further disrupt the Redmond/DC relationship.
A cautionary tale of cyber security
Cyberattacks and ransomware attacks are on the rise, with a 42% rise in the first part of 2022 (Compared to the previous year). But all too often, security tools are siloed or not designed to meet the needs of today’s businesses. The result is an overworked IT team, unaddressed alerts, undetected threats, and ignored updates. As the threat landscape evolves, protecting your digital business data requires an agile approach that empowers you to protect your data.