Cybersecurity and NASA
From a young age, we become acquainted with NASA through its missions to the Moon, Mars, Saturn, Pluto, and it’s other missions. The iconic astronauts in their suits have been etched into our minds. In short, space exploration is their mission. While this is their primary focus, and their engineers are very good at this, the organization still needs the other work groups to support this. One of these pertinent workgroups is Info- or Cyber-security. Without this in place with a strong team, there could be immediate issues. In an incident from late 2018, it appears as though not enough attention has been paid to this.
Compromise
The breach occurred in October 2018. Once this was detected, NASA moved to contain the issue, which is a great action to take given the attackers actions. Unfortunately nothing substantial has been published regarding the method for the attack. Granted NASA would have corrected this already, however, it would have been a great learning experience to understand how this attack leading to a compromise occurred. This would have allowed others to learn from the NASA oversight.
This is not the first time the potential for a compromise has been noted as an issue. For example in November 2017 the Inspector General noted NASA’s InfoSec issues. In the two years prior to this report, there were over 3k computer security issues and incidents of unauthorized access. Fortunately there were no missions impacted by this. The number of cybersecurity issues was rather substantial. From a CISO’s perspective, seemingly one would want to start to fix the critical issues and move down the list from this.
Data
The servers targeted unfortunately held PII, which is a bad set of circumstances for the affected parties. This included the social security numbers and other PII data for current and prior NASA employees. This concerns the employees on-boarded from July 2006 to October 2018. This is a rather large number of persons involved.
Notifications
As the employees PII was included, the notification had to be made. The NASA HR Department, on behalf of Bob Gibbs (Assistant Administrator, Office of the Chief Human Capital Offices) forwarded a memo on December 18, 2018. This noted the cybersecurity personnel had started an investigation of their systems, which were compromised. It is notable that the breach occurred in October 2018, yet NASA waited until December 18, 2018 to notify persons. This was intentional, as law enforcement was still investigating and did not want to let the attackers know.
Mitigation
NASA will offer through a vendor identity protection services and other resources. NASA and other federal cybersecurity partners are analyzing the breach for the forensic review. This however is only focused on the impacted systems. There may be the same or nearly the same issues on other systems, providing additional opportunity for the attackers. NASA is working, as a result of the compromise, to expand its network penetration testing program, work on a greater number of incident response (IR) assessments, broaden deployment of intrusion detection systems (IDS), and provide a greater level of web application securing scanning.
Resources
Boston, B.A. (2018, December 19). NASA reveals October security breach that exposed employee data. Retrieved from https://www.slashgear.com/nasa-reveals-october-security-breach-that-exposed-employee-data-19558631/
NASA HQ. (2018, December 18). Potentially personally identifiable information (PII) compromise of NASA servers. Retrieved from http://spaceref.com/news/viewsr.?pid=52074
Vijayan, J. (2018, December 19). NASA investigating breach that exposed PII on employees, ex-workers. Retrieved from https://www.darreading.com/attacks-breaches/nasa-investigating-breach-that-exposed-pii-on-employees-ex-workers/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.