An employee’s rogue Raspberry Pi device has been blamed for a 2018 security breach in NASA’s Jet Propulsion Laboratory (JPL), according to a new report from NASA’s Office of Inspector General. The security breach in question saw hackers target a NASA employee’s Raspberry Pi device, which wasn’t authorized to connect to the JPL network, and exfiltrate 500MB of data from one of its major mission systems.
Commentary: One of the most fundamental principles of security is that you can’t protect what you don’t know you have, or its corollary, you can’t protect against what you don’t know is there. The OIG’s report of the incident makes for interesting reading: asset inventory incomplete and inaccurate, lack of network segmentation, lack of 3rd party vetting, vulnerabilities not logged or addressed, logs not reviewed, limited ability to respond to incidents, failure to track and comply to contract requirements. What could go wrong? And then to fully demonstrate how much security matters in government institutions…
“Despite these significant concerns, the contract NASA signed with Caltech in October 2018 to manage JPL for at least the next 5 years left important IT security requirements unresolved and instead both sides agreed to continue negotiating these issues. As of March 2019, the Agency had not approved JPL’s plans to implement new IT security policies and requirements NASA included in its October 2018 contract.”
In regards to how much information security and privacy matters in organizations, I classify them into three categories – not based on their policies and statements, but rather their actions. JPL clearly falls into the “Don’t Care” category.
Likely Threat(s): Nation-States, Employees
Likely Motive(s): Espionage
Likely Means: 7.3 Rogue Devices in the environment, 2.x Attack the Endpoint Devices, 4.x Attack the Network, 8.x Attack the Governance
Opportunities: 3rd Party Management, Asset Management, Threat and Vulnerability Management, Incident Response, Network Segmentation, IAM