An engadget story yesterday showed how an unauthorized Raspberry Pi was compromised and served as an entryway for cybercriminals to steal 500 megabytes of major mission system data from NASA’s Jet Propulsion Lab (JPL). It’s a great example of why asset management matters in cybersecurity.
From the Office of Inspector General’s “Cybersecurity Management and Oversight at the Jet Propulsion Laboratory” (PDF):
Multiple IT security control weaknesses reduce JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cybercriminals. JPL uses its Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network; however, we found the database inventory incomplete and inaccurate, placing at risk JPL’s ability to effectively monitor, report, and respond to security incidents. Moreover, reduced visibility into devices connected to its networks hinders JPL’s
ability to properly secure those networks. Further, we found that JPL’s network gateway that controls partner access to a shared IT environment for specific missions and data had not been properly segmented to limit users only to those systems and applications for which they had approved access. This shortcoming enabled an attacker to gain unauthorized access to JPL’s mission network through a compromised external user system. Additionally, NASA failed to establish Interconnection Security Agreements (ISA) to document the requirements partners must meet to connect to NASA’s IT systems and describe the security controls that will be used to protect the systems and data.
In short, NASA had a few very common issues:
- An outdated CMDB – In this case, the report noted that NASA’s ITSDB was incomplete and inaccurate. In the section entitled “NASA Unable to Monitor Assets on the JPL Network” you’ll find “NASA does not have access to JPL’s incident management system nor has ever undertaken an audit of the system.”
Additionally, “One system administrator told us he does not regularly enter new devices into the ITSDB as required because the database’s updating function sometimes does not work and he later forgets to enter the asset information, Consequently, assets can be added to the network without being properly identified and vetted by security officials”.
- No mechanism to identify unmanaged devices on privileged networks – In this case, a Raspberry Pi that should not have been on the JPL network was exploited and the criminals “proceeded to take advantage of the network’s lack of segmentation to find a network gateway and pivot deeper into the system.“
- Not enough visibility to quickly respond to incidents – from threatpost: “Meanwhile, JPL hasn’t been timely in addressing security problems when they’re identified. For instance, log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were sometimes not resolved for longer than 180 days,” OIG found.
“While system administrators may request a waiver when they cannot resolve such tickets within six months, we found waivers were not reviewed annually as required, resulting in unnecessary waivers and potentially outdated compensating security controls that expose the JPL network to exploitation by cyberattacks,” OIG said.
In the OIG’s report, 10 recommendations were given to the JPL’s CIO, with the following related to asset management:
Require all system administrators to review and update the ITSDB to ensure all system components are properly registered in the database and require the JPL CITO to periodically review the ITSDB for compliance with this requirement.
Obviously, we’re biased, but we feel that the only way to make sure any asset database is up-to-date is by automating the data entry. There are just too many devices to keep updated, and without visibility into those devices, it can’t be done manually.
We think that the NASA JPL hack and the resulting OIG report is a perfect case study in showing why asset management matters for cybersecurity. Rather than just speaking academically about a cybersecurity problem, this is a rare case when the objective facts are shared publicly and recommendations are given by a third party in report form.
Though I’m sure it isn’t beach reading for most, I’d highly recommend taking a look at the OIG’s report.
As always, if you’re interested in seeing how automating asset management for cybersecurity can help your organization, sign up for an Axonius demo here.