NASA Poor Asset Visibility

June 27, 2019

Barnaby Clarke

It has recently come to light even some of the most recognisable institutions in the world (and space) are susceptible to the most basic cybersecurity challenges. 

The Jet Propulsion Lab (JPL) at NASA was recently subject to a data breach due to an attack through a Raspberry Pi, wherein they lost 500MB of data, including files regarding restricted military and space technology.

One of the key issues at play here is that the Raspberry Pi was an unknown device within the NASA network, and had been within the network for 10 months. IT administrators weren’t aware of it and this vulnerability was exploited. Once inside, the malicious party was able to navigate the internal network due by taking advantage of weak internal security controls that should have made it impossible to jump between different departmental systems. This prompted an audit which discovered yet more unknown devices. Here’s a brief summary from the report that highlights the key issue: 

JPL uses its Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network; however, we found the database inventory incomplete and inaccurate, placing at risk JPL’s ability to effectively monitor, report, and respond to security incidents. Moreover, reduced visibility into devices connected to its networks hinders JPL’s ability to properly secure those networks 

This problem is not exclusive to NASA, however. There are companies across the world with estates of great size and complexity, operating in a fragmented environment, that share this issue of unmanaged assets within their network. Some companies even have ‘known unknowns’, wherein security and IT teams will know there are assets within their network that lack detailed information or are missing from their inventory (though ignoring these can be attributed to a calculated risk appetite). 

It is a common problem with companies that have thousands upon thousands of assets, whether they are computers, laptops, serverseven going beyond devices to applications, databases, and people. This is becoming even more difficult with the increasing prominence of IoT. Without having knowledge of all devices within the network, there are many open attack vectors. 

In a new study, Panaseer found that lack of visibility on technical assets and security controls deployment leaves security teams in the dark. It is difficult to understand and improve the cybersecurity posture of an organisation against the cyber threat landscapes. The report also found that 89% of large enterprises have concerns based on lack of visibility and insight into trusted data and that IoT featured as the area with the worst asset visibility. 

Large organisations, including NASA, need to strengthen their security fundamentals. It is essential to get good asset visibility: knowing what assets your organisation is defending and then ask your security team key questions. How well controlled are they? Are these controls performing within policy?

If the answer to these is ‘I don’t know’, then you have a fundamental cybersecurity problem. In the case of JPL, it looks like they were not able to confidently answer any of these questions, which leads to massive gaps in security coverage.  

Audits such as that published by NASA are effective in exposing some of these gaps and highlighting key areas of improvement. Their report recommends an annual review – but is one point-in-time snapshot per year an effective way to improve cybersecurity posture? 

The compromised system was undetected for 10 months – annual snapshots could well be too little too late. 

When it comes to security controls, timeliness is next to godliness.  

The answer is to get a holistic, real-time view of cybersecurity posture – automating data unification to monitor controls and measure their performance continuously will pave the way for improved visibility.  Large companies like NASA will benefit greatly from timely visibility, which will allow more effective decisions to be made on remediation, and ultimately push the cybersecurity culture from reactive to proactive.