[BreachExchange] NASA Data Breach Demonstrates Need for Proper Network Governance

Mon Jun 24 09:50:42 EDT 2019

https://www.infosecurity-magazine.com/infosec/nasa-data-breach-network/

A cyber-attack on NASA's Jet Propulsion Laboratory was so severe that
it prompted parts of the Agency to disconnect from the Lab's networks,
a report revealed this month, and it all began because of a rogue
Raspberry Pi.

The Jet Propulsion Laboratory (JPL) is a NASA research facility that
conducts robotic space missions. It's the organization that builds
probes and sends them to Mars.

Discovered in 2018, the attackers had been lurking in JPL's
infrastructure for ten months. According to the report from NASA's
Inspector General, they broke into its network through the Raspberry
Pi, which is a tiny computer marketed to consumers and enthusiasts for
simple Linux projects.

Using an external user account, the attackers gained access to two of
three primary networks and stole 23 files containing 500Mb of data.
Two of these files included International Traffic in Arms Regulations
information related to the Mars Science Laboratory mission.

An incomplete inventory of the devices connected to the JPL network
allowed the Pi onto the network unnoticed. Although the Lab maintains
a database for hardware and applications, it wasn't regularly updated.
"The April 2018 cyberattack exploited this particular weakness when
the hacker accessed the JPL network by targeting a Raspberry Pi
computer that was not authorized to be attached to the JPL network,"
the report said.

Poor network segmentation in the Lab's network gateway then enabled
the attacker to get to its mission network. Their ability to move
laterally through JPL's infrastructure could have enabled them to gain
access to live mission communications and send malicious signals to
human space flight missions, said the report. For this reason, staff
at the Johnson Space Center (which handles the International Space
Station mission) cut communications with the gateway for over six
months. As late as March this year, the Center still hadn't
re-established full communication between the two networks.

Network admins failed to deal with log tickets highlighting potential
security vulnerabilities, sometimes for longer than 180 days. The
software vulnerability that the attackers exploited was first
identified in 2017 with a vulnerability score of ten. JPL didn't fully
eliminate the vulnerability until this March.

Inadequate incident response procedures made it difficult to ensure
that the JPL had properly contained the attack, according to the
report. NASA asked the Department of Homeland Security (DHS) to scan
the Lab's network and ensure that the attack had been properly cleared
up, but JPL's unfamiliarity with DHS procedures and concerns over
access to its corporate network introduced a four-month delay.

The report shows that a string of security shortcoming combined
allowed the attackers to steal the files they needed. It also
demonstrates clearly how a single rogue device can provide the perfect
gateway for an attack. Admins should use it as a prompt to check their
process for documenting new hardware on their networks, and to audit
their infrastructure for unauthorized devices.