NASA revealed today that it was hacked earlier this year. In an internal memo sent to all employees, the agency said that an unknown intruder gained access to one of its servers storing the personal data of current and former employees. Social Security numbers were also compromised, NASA said.
The agency said it discovered the hack on October 23, almost two months ago. It is unclear why the agency waited nearly two months to notify employees, but it is common for US law enforcement to ask hacked organizations to delay notifying affected victims while they investigate an incident.
Commenting on the news, how NASA employees might be affected, and how the breach could have been avoided is Paul Walker, technical director at One Identity.
Expert Comments below:
Paul Walker, Technical Director at One Identity:
A keyword that is used in the NASA memo is the word “unknown.” Computer systems authenticate and authorise access to people and other “things,” such as other software, bots and machines. The trick here is to know what, or who, is requesting access and to what information are they requesting access to? The word “unknown” within the memo is worrying. Was this someone on the inside at NASA? Or was it a state actor from a potentially hostile foreign state? Who knows what the “unknown” hackers will do with the information but, given past breaches, it’s highly likely that it will end up for sale on the dark web. The affected NASA employees may find themselves at risk of social engineering, unwanted advertising or other potentially fraudulent risks.
If NASA had implemented basic advice from the National Institute of Standards and Technology (NIST) – who have a close relationship with various U.S. Government Administrations – then this breach may not have happened. As the NIST states, using MFA helps by adding an additional layer of security, making it harder for the bad guys to get in. With regard to the individuals that are requesting access, it’s all about risk mitigation. How confident are we that the person (or thing) requesting access is who they (or it) claims they are? Moreover, what are they doing with the access they’ve been given?
I would recommend that an organisation like NASA takes further action than simply implementing MFA on top of the usual password. For example, using a layered approach including password vaulting, automatic recording of access (including MFA) as well as real time behavioural analysis and alerting, would better protect NASA’s network, and employee data, from being compromised in the future.”