Attacks/Breaches

12/19/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

NASA Investigating Breach That Exposed PII on Employees, Ex-Workers

Incident is latest manifestation of continuing security challenges at agency, where over 3,000 security incidents have been reported in recent years.

NASA is investigating a data breach that exposed personally identifiable information (PII) — including Social Security numbers — belonging to current and former employees who joined the agency after July 2006.

The breach is the latest of numerous major and minor security incidents at NASA in recent years and is sure to heighten scrutiny of its cybersecurity practices.

In an internal memo to employees Dec. 18 (posted here), NASA's head of human relations, Bob Gibbs, said the space agency's cybersecurity staff discovered the breach when investigating a potential compromise of several servers in late October. An initial analysis of the incident showed that one of the impacted servers contained PII on NASA employees that the attackers may have stolen.

"Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within," Gibbs' memo stated without further elaboration.

NASA and other federal cybersecurity partners are doing a forensic analysis of the impacted systems to understand the full scope of the breach and to identify employees whose data might have been stolen, the statement noted. The process will take time but is a top priority at NASA, with senior leadership is actively involved in understanding the breach and developing a response.

"NASA does not believe that any agency missions were jeopardized by the intrusions," a spokeswoman said in a separate emailed statement to Dark Reading. "The agency is continuing its efforts to secure all servers and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency." NASA did not respond to a question about why the agency waited so long to disclose the breach.

The server intrusions appear to be the latest manifestation of what NASA's Office of Inspector General (OIG) has previously described as long-standing security issues at the agency.

In a November 2017 assessment of NASA's top management and performance challenges, inspector general Paul Martin identified IT governance and information security as one key issue. According to the OIG, NASA reported more than 3,000 computer security incidents involving malware or unauthorized access to agency computers in the two years preceding the report.

"These incidents included individuals testing their skills to break into NASA systems, well-organized criminal enterprises hacking for profit, and intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives," the report noted. In one instance, a contract employee was indicted for illegally accessing and attempting to sabotage NASA systems.

To address these issues, NASA has implemented a series of initiatives, including expanded network penetration testing, more incident response assessments, broader deployment of intrusion detection systems, and increased Web application security scanning. Despite such measure, problems persist, the OIG said. Among them: inadequate IT acquisition and governance practices, gaps in the agency's incident detection and handling capabilities, inadequate monitoring tools and Web application security controls.

Also troubling, according to the OIG, were NASA policies that did not distinguish OT systems from IT.

As of November 2017, the agency managed more than 500 information systems for everything from controlling spacecraft and processing scientific data to enabling NASA personnel to collaborate with peers around the world. NASA also manages some 1,200 publically accessible Web applications — or about 50% of all non-military federal websites that are publicly accessible.

Not a Houston Problem Alone
NASA, by far, is not the only federal agency with cybersecurity challenges. Though civilian US federal agencies spent an estimated $5.7 billion on cybersecurity last year, many serious deficiencies persist across the spectrum, said the White House Office of Management and Budget (OMB) in a report in May. Among them were gaps in network visibility that prevented agencies from fully knowing what was going on in their networks, lack of standardized processes and capabilities, and limited situational awareness. One example: In 38% of federal cybersecurity incidents, investigators were not able to identify an attack vector.

Michael Magrath, director of global regulations and standards at OneSpan, says breaches like the one at NASA are not surprising given how big of a target federal agencies are for cybercriminals because of the PII they collect and store. "That large human resources target plus the potential damage that can be inflicted from a national security standpoint means that federal agencies will always [face] cyberthreats," he says.

The OMB is expected to soon release final policy to address federal agencies' implementation of Identity, Credential, and Access Management (ICAM) policy, he says. The policy will update previous requirements for multifactor authentication, digital signatures, encryption acquisition, and other areas of security. "It remains to be seen what is included in the updated requirements," Magrath says. "Hopefully it addresses the growing number of successful cyberattacks on federal agencies."

Somewhat ironically, the latest breach is unlikely to make a huge difference for the victims because a lot of their PII was likely already compromised in the 2015 intrusion at the US Office of Personnel Management (OPM). In that incident, PII belonging to as many as 21.5 million current and former federal employees and others was compromised.

"Given the depth of the OPM breach, it is likely that most of the information has already been made available," says Keenan Skelly, vice president of global Partnerships at Circadence.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
1/8/2019 | 4:15:44 AM
Background checks
It is scary to know that data breaches within even the most successful organisations have become ever so common within the recent past. In majority of such cases, an internal breach is to be blamed which simply means that the organisation had committed a mistake during their recruitment drive. Every single employee ought to be sucritinized in terms of their background checks just to see if there's any potential amongst any of the workers to commit crimes like data breaches.
CameronRobertson
50%
50%
CameronRobertson,
User Rank: Moderator
1/3/2019 | 6:33:59 AM
would think that personnel working
You would think that personnel working in a facility with that kind of security especially with the amount of sensitive information going around that place, would know better about how to protect themselves from being the target of attack when it comes to external forces trying to attack the facility for the data in storage... Seems like they still have a lot to learn...
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:55:31 PM
Re: inb4
cybersecurity isn't rocket science" joke Agree. Hart to argue with it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:54:06 PM
Re: Reasons why these things continue to happen at Federal Agencies
Meaning, cut, cut, cut even though IT is vital to the day to day operations & success of the organization. I think we can certainly cut and stay secure. It is just changing mindset that security is part of daily operation.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:52:50 PM
Re: Reasons why these things continue to happen at Federal Agencies
Many organizations view IT as non revenue generating and thus treat them in that manner. That would be true. Organizations would try to avoid expenses for security as much as possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:51:49 PM
Re: Reasons why these things continue to happen at Federal Agencies
They only care about fulfilling their core mission. I assume they are blinded by the regulations bit they do not have to obey obviously.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:50:31 PM
Re: Reasons why these things continue to happen at Federal Agencies
because their superiors do not care about security unless a breach is publicized and they become embarrassed Yes, this represents a cultural issue in the agencies.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:49:23 PM
Re: Reasons why these things continue to happen at Federal Agencies
Even when there are qualified IT security professionals, they are often overruled in their attempts to increase security, I would guess this might be the norm. They do not want to spend money on security most likely as it gests expensive in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:47:59 PM
Re: Reasons why these things continue to happen at Federal Agencies
Also, the pay structures of the federal government do not generally allow the agencies to pay what they need to pay for qualified IT security personnel. If I guess I would guess that is is less about money/personel than the culture of the agencies.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2018 | 12:46:28 PM
Re: Reasons why these things continue to happen at Federal Agencies
Federal Agencies are loathe to spend money on IT security because it is not central to their mission. That is true too. It should be part of their mission definition in my view.
Page 1 / 2   >   >>
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.