NASA in 'serious jeopardy' due to big black hole in security

Auditor finds space agency defends classified info well, isn't paying attention to valuable unclassified data

An audit of NASA's infosec preparedness against insider threats has warned it faces "serious jeopardy to operations" due to lack of protection for unclassified information.

A Monday report [PDF] found that NASA has done well, as required, in its efforts to defend and prevent insider threats to classified information – stuff that NASA defines as "Official information regarding the national security that has been designated Confidential, Secret, or Top Secret."

The report found the agency has deployed defenses including user activity monitoring, adopted mandatory agency-wide insider threat training, and "created an insider threat reference website that assists employees and contractors with identifying threats, their risks, and follow-up information." Procurement controls are being strengthened in ways that address risks of foreign influence.

But while the report is satisfied NASA has done well to protect its classified info, it notes that "the vast majority" of NASA tech is not classified, including plenty of "high-value assets and critical infrastructure." Among those assets are "sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information." Because that infrastructure is not classified, it's not covered by the insider threat program.

And that's a worry, because in 2021 NASA's auditor found "incidents of improper use of NASA IT systems had increased from 249 in 2017 to 1,103 in 2020 – a 343 per cent growth; the most prevalent error was failing to protect Sensitive but unclassified (SBU) information."

Among the booboos the auditors found were "sending unencrypted email containing SBU data, Personally Identifiable Information, or International Traffic in Arms Regulations data, any of which could expose the Agency to a risk that can affect national security, incur a loss of intellectual property, or compromise sensitive employee and contractor data."

The report also mentions that in the last three years, NASA users have made over 12,000 requests for elevated privileges – just the sort of thing that could lead to more information reaching the wrong eyes.

Further complicating matters is that NASA's infosec responsibilities are spread around different teams. The Office of Protective Services (OPS) is responsible for protecting against insider threats to classified info, but lacks resources to cover unclassified systems. The Office of the Chief Information Officer (OCIO) has responsibility for "data loss prevention and behavioral analysis, but has no defined responsibility to monitor unclassified systems for indicators of compromise specifically related to insider threats."

Other US government agencies, the report notes, have already extended their insider threat defenses to cover unclassified info. The auditors suggest it is time for NASA to do likewise and to undertake two specific reforms:

  1. Establish a cross-discipline team to conduct an insider threat risk assessment to evaluate NASA's unclassified systems and determine if the corresponding risk warrants expansion of the insider threat program to include these systems.
  2. Improve cross-discipline communication by establishing a working group that includes OPS, OCIO, procurement, human resources officials, and any other relevant agency offices to collaborate on wide-ranging insider threat-related issues for both classified and unclassified systems.

NASA management has agreed with the report's findings, agreed to implement the recommendations, and set December 1, 2023, as the deadline for delivery.

Which suggests the changes outlined above might not be rocket science. ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • NASA circles August in its diary to put Artemis I capsule in Moon orbit
    First steps by humans to recapture planet's natural satellite

    NASA is finally ready to launch its unmanned Orion spacecraft and put it in the orbit of the Moon. Lift-off from Earth is now expected in late August using a Space Launch System (SLS) rocket.

    This launch, a mission dubbed Artemis I, will be a vital stage in the Artemis series, which has the long-term goal of ferrying humans to the lunar surface using Orion capsules and SLS technology.

    Earlier this week NASA held a wet dress rehearsal (WDR) for the SLS vehicle – fueling it and getting within 10 seconds of launch. The test uncovered 13 problems, including a hydrogen fuel leak in the main booster, though NASA has declared that everything's fine for a launch next month.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022