Someone repeatedly compromised NASA servers
This isn’t going to improve NASA’s FISMA scorecard rating for 2018.
On Tuesday, December 18, 2018. Bob Gibbs, Assistant Administrator, Office of the Chief Human Capital Officer sent an agency-wide message to the 17,000+ NASA employees, according to SpaceRef which posted the memo on their site.
On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised.
Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents.
NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected.
NASA employees should be counting their lucky stars that this doesn’t happen more often, In 2016 NASA’s Office of Inspector General found that NASA lacks a mature cyber program, earning a score of 27 out of 100 under the Office of Management and Budget’s and DHS’ five-step maturity model.
In the 2017 Federal Information Security Modernization Act: Fiscal Year 2017 Evaluation of NASA came to the conclusion that…
Despite progress made to address previously identified weaknesses related to its cybersecurity program, we concluded that NASA, based on the results of our current review, has not implemented an effective information technology security program. Further, without implementing additional improvements to ensure that NIST requirements are implemented, the Agency may lose ground in its efforts to address the challenges in a rapidly evolving cybersecurity landscape. To strengthen its information security program, we believe the Agency should continue its initiatives in each of the seven IG FISMA domains.
- Risk Management. Strengthen the enterprise architecture risk management framework by closing the gap between mission systems and inventory, and complete the transition to RISCS.
- Configuration Management. Augment secure configuration settings, improve hardware and software asset management, and remediate configuration-related vulnerabilities including unsupported operating systems.
- Identity and Access Management. Increase the use of PIV authentication for unprivileged users.
- Security Training. Complete applicable role-based training for personnel with significant security responsibilities.
- Continuous Monitoring. Develop a comprehensive continuous monitoring strategy for automatic hardware and software inventory detection and data exfiltration defense capabilities.
- Incident Response. Bridge the gap between reactive and proactive intelligence gathering and analysis techniques.
- Contingency Planning.
Finally, we are concerned that many recommended corrective actions from prior FISMA and other IT-related reviews remain open after more than a year. We urge a renewed Agency commitment to addressing our previous recommendations given the constant and growing cybersecurity threats. Although this memorandum made no specific recommendations to NASA, management provided a brief response that is reproduced in Enclosure V. Technical comments provided by management have been incorporated, as appropriate.
Sadly, Its easier to blame this all on aliens.
The DoD Cybersecurity Policy Chart
By William Knowles @c4i
Senior Editor
InfoSec News
November 11, 2018
Updated January 8, 2019
The goal of the DoD Cybersecurity Policy Chart, developed by the Cyber Security and Information Systems Information Analysis Center (CSIAC) is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme. The use of color, fonts, and hyperlinks are all designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.
At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side of the Cybersecurity Policy Chart, there are boxes, which identify key legal authorities, federal/national level Cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can be found in the Chart.
Click on the image above to download an interactive copy of .pdf of the DoD Cybersecurity Policy Chart, The chart was last updated on January 7, 2019. View the changelog here.
DerbyCon 8 Videos are online!
By William Knowles @c4i
Senior Editor
InfoSec News
October 18, 2018
Adrian/@irongeek_adc has uploaded all the presentations from DerbyCon VIII here and at Archive.org to download. DerbyCon was held at the Marriott Louisville on October 3rd thru the 7th, 2018. Dates for DerbyCon 9 have been announced, Training dates are September 18th and 19th 2019, with the conference again to be held at the Marriott Louisville September 20th to 22nd 2019.
InfoSec News is at DEF CON 26!
By William Knowles @c4i
Senior Editor
InfoSec News
August 11, 2018
After nearly a 30 month break from running InfoSec News continuously for fourteen years, I will be doing a soft re-opening in the next week or so as we hammer out all the little fixes (like forcing https!) that have been hounding the site. A future post will go into greater detail about the sabbatical from running InfoSec News and what lies in the future. In the meantime, I am handing out InfoSec News stickers and globe beach balls around DEF CON 26, as you ‘might’ have received one at the DEF CON 26 Hacker Jeopardy finals tonight and was curious what this site is about.