The recent hack of the National Vulnerability Database (NVD) is one more example of the need for a stronger U.S. cyber security strategy.
President Barack Obama pressed for such an initiative in meetings Wednesday and Thursday with corporate leaders, Bloomberg News reports. The president wants more cooperation between government and private industry to fend off cyber attacks.
[ Intelligence officials see cyber attacks as a top U.S. threat | The President's Security Advisor specifically called out China for its hacking of U.S. companies. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The meetings, with companies including Nasdaq, Oracle, Cisco, Exxon, and JPMorgan Chase & Co., occurred the same week it was disclosed that the government's NVD was taken offline after malware was discovered in two of its servers. The National Institute of Standards and Technology runs the database.
The unidentified attackers exploited a vulnerability in Adobe's Web development software ColdFusion, NIST spokeswoman Gail Porter said. The malware was inserted before Adobe issued a patch Jan. 15.
NIST discovered the malware on March 8, after suspicious activity was detected by a firewall, which led to the two servers being taken offline. One server ran the NVD while the other hosted a half-dozen other sites, including manufacturing.gov, E3.gov, greensuppliers.gov, emtoolbox.nist.gov, nsreserve.gov, and stonewall.nist.gov, Porter said.
Only three of the sites, manufacturing.gov, E3.gov and greensuppliers.gov, were restored on a different server as of Thursday. The NVD also remained offline.
"Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Websites," Porter said. NIST did not know the motive of the attackers.
Andrew Brandt, director of threat research at Solera Networks, said the NVD would be an effective platform for distributing malware to the many organizations that use the database.
[In depth: The DDoS attack survival guide, 2013 edition]
"I think in this case the motivation was to distribute malware to as wide an audience as possible," Brandt said. Having the NVD offline hampers security efforts at many organizations
Strengthening the nation's cyber security to protect U.S. corporations and critical infrastructure, such as the power grid, water filtration systems and energy pipelines, is a top priority of the Obama administration.
