Successful Website Hack Takes NIST Vulnerability Database Offline


The National Vulnerability Database, a catalogue of vulnerability management data maintained by the National Institute of Standards and Technology (NIST), remains inaccessible following a successful attack of the database website.

"The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available," a message reads on the database homepage. "We are working to restore service as quickly as possible. We will provide updates as soon as new information is available."

The NVD was taken offline March 8 when NIST detected suspicious activity and took steps to block unusual traffic from reaching the Internet, according to The Register, which first reported the incident.

[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]

Investigators discovered malware on two NIST Web servers, prompting an outage of the NVD website and several other NIST-hosted websites while security response teams address the issue, Gail Porter, director of the public affairs office at NIST, told CRN.

"Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST websites," Porter said. "NIST continually works to maintain the integrity of its IT infrastructure and acts to limit the impact of malware on its systems."

The NVD is associated with the Security Content Automation Protocol (SCAP), which takes in the NVD data to automate part of the vulnerability management process to comply with the Federal Information Security Management Act (FISMA).

PUBLISHED MARCH 14, 2013