"JPL uses its Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network; however, we found the database inventory incomplete and inaccurate, placing at risk JPL's ability to effectively monitor, report, and respond to security incidents". This has been proved by a recent report which confirmed that a NASA lab was hacked using a Raspberry Pi.
NASA stated the hackers have used a basic, build-it-yourself computer to attack two of the Jet Propulsion Laboratory's main networks and steal around 500 megabytes of data from 23 files. The hackers used this to their advantage and exploited the Pi to gain access to the network, compromised JPL systems as well as the Deep Space Network (DSN).
A $25 Raspberry Pi is not in itself a nefarious device, just as flash drives are not in themselves nefarious devices.
The report also claims that JPL had not "provided role-based security training or funded IT security certifications for its system administrators".More news: Xiaomi Does Not Want You To Buy Its Phones With Notches
More news: Company linked to motorcycle crash cooperating
More news: 1,000 Best Buy Stores Can Repair Your Apple Device
"The device should not have been permitted on the JPL network without the JPL OCIO's review and approval", the OIG said.
As a result, hackers were able to move freely between the different systems within the network because the network is a shared one rather than a segmented environment. It also highlighted the major security lapses that were present in NASA's network for about a decade and made the breach possible. It is also responsible for operating NASA's Deep Space Network.
As smartly as to having reduced visibility to devices linked to its network and to no longer retaining assorted substances of its network separate, investigators bear moreover discovered cases of security tickets no longer being resolved for extended lessons of time.
The OIG recommended a fix for all those issues, and NASA agreed to all of them except one: establishing a formal threat-hunting process to find flaws before they even cause issues.