NASA has been breached with an unauthorised raspberry pi. You could be forgiven for thinking, well if “NASA” cant get it right how can I? It must be harder than rocket science!
Let’s not beat around the bush. Cyber Security can be a tricky.
However, looking at the audit report NASA got a lot of basic things wrong for an organisation that would be a huge target. The IP these guys would hold let alone the status for breaching such a big name would be huge.
Clearly they didn’t have the ability to detect rogue devices, quickly report on abnormal network traffic and from the report adequately patch network devices to prevent lateral movement. These are all risks that have well known and efficient remedies. However, I suspect as with many organisations we help the problem starts from the top.
Management have allowed Engineers and IT teams to manage the environment rather than creating strong cyber leadership ( Not IT ), policies, procedures and alerting systems to ensure compliance with requirements.
To often we see boards allow total freedom and creative license to Engineers and IT professionals however, they are not properly educated or tooled to understand and engage risk.
More often than not when we get called to assist during a post breach event, the management advise us that “IT were looking after security”.
Just as we in the industry are realising that Cyber Security is a diverse problem that requires diverse thinking to solve so must organisations learn that security is an organisational problem.
Asking IT to include security within their budget is often the first step towards disaster and communications breakdown during a cyber incident.
Now I’m a long time IT professional so its ok for me to say this… we in IT have never been known for our amazing social and interpersonal skills. So why in gods name would you want us talking to the media or senior executives in a time of crisis?
Proper leadership for cyber requires a diverse thinking risk team to first assess risks and identify key assets such as data, IP, functions and people. Only then can we mandate and create proper policies and advise our IT teams about effective controls and KPI’s such as an advanced security operations center to protect environments.
Without this top down approach to Cyber I’m sure glad I’m not an astronaut today floating around in space with who knows what code lurking around my life support systems.
– Bastien Treptel, Founder, CTRL Group