535 Connecticut Ave. Suite 104
Norwalk, CT 06854
Empire State Building
350 Fifth Avenue, 59th fl.
New York City, NY 10118

Featured Article

May 24, 2018

NASA Cybersecurity Nightmare: What Every Business Can Learn

The NASA CIO planned to develop and begin implementing an agency wide cybersecurity strategy by September 2016, but investigators said no such plan has still been drafted. NASA’s CIO told GAO the agency will soon begin rolling out a strategy based on the National Institute of Standards and Technology’s cybersecurity framework but didn't give timelines for the initiative.

The NASA Inspector General also highlighted numerous shortcomings in the Security Operations Center, which was founded in 2007 with the intent of becoming the agency’s “cybersecurity nerve center.”

“Due in part to the Agency’s failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in CIO leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the agency’s IT security oversight and develop new capabilities to address emerging cyber threats,” the IG wrote.

In a separate report, auditors found NASA officials often failed to evaluate the cybersecurity risks of the technology it purchased, and when they did, the assessment was less than thorough.

Every business – whether they are located in financial hotspots like New York, Connecticut and New Jersey or anywhere else can learn a great deal from NASA. The space agency spends $1.4 billion per year on IT but it didn’t focus on doing cybersecurity correctly from the beginning, leading to problems down the road.

Here are just a few more of these issues:

1)There is also ineffective management structure, the security operations center or SOC lacks a charter outlining its authorities and responsibilities.

2)NASA has not established, through agency policy or other designation, the SOC’s authority to manage information security incident detection and remediation oversight for the entirety of NASA’s IT infrastructure.

3)Cybersecurity is soloed and Mission Directorates lack any formal agreements to ensure, at a minimum, that passive network monitoring, log collection, and analysis is taking place. This problem was pointed out in 2012 but still hasn’t been resolved.

4)The agency is also not abiding by government cybersecurity best practices.

5)For example, it was pointed out in 2013 that NASA is relying on personal relationships rather than formal procedures for IT decision-making.

6)The SOC is not managed as an activity or a program.

7)The SOC has had limited visibility into or, in many cases, knowledge of critical Mission Directorate IT assets. MITRE and the SANS Institute suggest that visibility into system data and networks is key to understanding how systems and networks are connected, monitoring their network traffic activity, and prioritizing SOC resources and capabilities based on risk across the architecture.

8)The SOC does not have access to critical logs and other IT security information, hindering its ability to correlate data to identify similarities and relationships.

9)NASA does not have a policy that identifies which devices or software should capture logs, the types of logs that should be captured, or the amount of time these logs should be retained. Logging information is a critical piece of evidence to determine whether a security event actually occurred and, if so, provide details to assist in mitigating and preventing future similar events. Comparing logs from a variety of sources helps to reconstruct the chain of events of an incident or anomalous activity.

10)The SOC’s data storage capacity for its Security Information and Event Management (SIEM) platform reached full capacity at 12 terabytes as of October 2017 and the SOC Operations Manager informed us that the capacity needs to increase to at least 25 terabytes to meet future requirements.

To say the agency is a cybersecurity nightmare would be a huge understatement. It is obvious that security and protection from hackers has been an afterthought. Policy and purchasing has been driven by friendships and acquaintances rather than spending taxpayer money wisely to select the best vendors and solutions.

What every organization can learn is cybersecurity needs to be addressed from the ground up.

For example:

  • Is your top management on board? We have seen CFOs halt spending on cybersecurity – thinking the company will “chance it.”
  • Are your own employees putting your data at risk?
  • Is cybersecurity education taking place in your company or government agency?
  • Are you testing systems to ensure you aren’t forced to pay a ransomware ransom? Hackers have found ways to intercept these payments meaning that paying is riskier than ever.
  • Do you know the City of Atlanta was brought to its knees thanks to ransomware with systems out for more than a month and millions of dollars of damage? Are you taking the threat seriously?
  • Are your computers, operating systems and software being patched frequently? If not, you are a sitting duck as hackers learn about unprotected systems when vendors release patches. The longer your company waits, the more vulnerable you are.
  • Experts are warning that Iran will be attacking U.S. business at an alarming rate. Are you prepared?
  • Do your employees know the basics of physical security such as not placing a memory stick from an unknown (or perhaps even known) source into their computers?
  • We told you in 2017 that 2018 would be worse for cybersecurity and sadly, we were right as the trend line still point upwards.

Companies have a great deal on their plates. The best thing they can do is to contract a reputable MSP or MSSP who can help them with creating a cybersecurity culture in their organization. Frequent cybersecurity training is a great start.

Companies also need to audit and document their systems via an outside organization, have a penetration test regularly performed and anomaly detection needs to be run continuously. A backup appliance for business continuity needs to be running with duplicate copies on-premise and in the cloud.

This is the time to take stock of the situation that all business is in. We are all vulnerable and need experts to help shore up our systems to protect them from threats which grow by the day.

The ROI you will achieve is greater profitability from not having a breach take place in your organization. Buying the alarm system after the break-in still makes sense but it makes a lot more sense to do it before the initial incident.

To ensure an organization is safe – even if they have internal IT, they need to hire an experienced MSP or MSSP like Apex Technology Services. The company acts as an outsourced CISO and has experience helping numerous financial companies including the Fortune 200.







Related Articles