Listed Vulnerabilities Need to be addressed
By Charles Parker, II; Cybersecurity Lab Engineer
From a young age, we become acquainted with NASA through its missions to the Moon, Mars, Saturn, Pluto, and it’s other missions. The spectacular amount of data created along with the images create years of research for the industry. The iconic astronauts in their suits have been etched into our minds. In short, space exploration is their mission. While this is their primary focus, and their engineers are very good at this, the organization still needs the other workgroups to support the mission. One of these pertinent workgroups is Info- or Cyber-security. Without this in place with a strong team, there could be immediate issues. With critical systems, a breach could prove to be disastrous. In an incident from late 2018, it appears as though not enough attention has been paid to this.
Compromise
The breach occurred in October 2018. Once this was detected, NASA moved to contain the issue in a timely manner, which is a great action to take given the attacker’s motives. Unfortunately, nothing substantial has been published regarding the method for the attack. Granted NASA would have corrected this already, however, it would have been a great learning experience to understand how this attack leading to a compromise occurred. This would have allowed others to learn from the NASA oversight so that this would not be repeated.
This is not the first time the potential for a compromise has been noted as an issue. For example, in November 2017 the Inspector General noted NASA’s InfoSec issues. In the two years prior to this report, there were over 3k computer security issues and incidents of unauthorized access. Fortunately, there were no missions impacted by this. The number of cybersecurity issues was rather substantial. From a CISO’s perspective, seemingly one would want to start to fix the critical issues and move down the list from this.
Data
The NASA servers targeted unfortunately held PII, which is a detrimental set of circumstances for the affected parties. This included the social security numbers and other PII data for current and prior NASA employees. This concerns the employees on-boarded from July 2006 to October 2018. This is a rather large number of persons involved. The data set being accessed is problematic for several reasons, specifically for the affected prior and present employees. One of which is the opportunity for identity theft and their specific data being sold repeatedly on the dark web.
Notifications
As the employee’s PII was included, the notification had to be made. The NASA HR Department, on behalf of Bob Gibbs (Assistant Administrator, Office of the Chief Human Capital Offices) forwarded a memo on December 18, 2018. This noted the cybersecurity personnel had started an investigation of their systems, which were compromised. It is notable that the breach occurred in October 2018, yet NASA waited until December 18, 2018, to notify persons. Generally, this would throw a red flag as the notification did not occur sooner. The waiting period was intentional, as law enforcement was still investigating and did not want to let the attackers know more about the extent of the investigation. Granted they would know NASA had detected the issue if they were to access the system again, however, there was not a need to provide more information than what was needed.
Mitigation
NASA will offer through a vendor identity protection services and other resources. NASA and other federal cybersecurity partners are analyzing the breach for the forensic review. This, however, is only focused on the impacted systems. There may be the same or nearly the same issues on other systems, providing additional opportunities for the attackers. NASA is working, as a result of the compromise, to expand its network penetration testing program, work on a greater number of incident response (IR) assessments, broaden deployment of intrusion detection systems (IDS), and provide a greater level of web application securing scanning.
Resources
Boston, B.A. (2018, December 19). NASA reveals an October security breach that exposed employee data. Retrieved from https://www.slashgear.com/nasa-reveals-october-security-breach-that-exposed-employee-data-19558631/
NASA HQ. (2018, December 18). Potentially personally identifiable information (PII) compromise of NASA servers. Retrieved from http://spaceref.com/news/viewsr.?pid=52074
Vijayan, J. (2018, December 19). NASA investigating breach that exposed PII on employees, ex-workers. Retrieved from https://www.darreading.com/attacks-breaches/nasa-investigating-breach-that-exposed-pii-on-employees-ex-workers/
About The Author
Charles Parker, II has been in the computer science/InfoSec industry for over a decade in working with medical, sales, labor, OEM and Tier 1 manufacturers, and other industries. Presently, he is a Cybersecurity Lab Engineer at a Tier 1 manufacturer and professor. To further the knowledge base for others in various roles in other industries, he published in blogs and peer reviewed journals. He has completed several graduate degrees (MBA, MSA, JD, LLM, and PhD), completed certificate programs in AI from MIT and other institutions, and researches AI’s application to InfoSec, FinTech, and other areas.