National Aeronautics and Space Administration IT Talk October - December 2018 Volume 8 • Issue 4 Don’t let data... slip through your fingers www.nasa.gov IT Talk In this Issue Oct - Dec 2018 Volume 8 • Issue 4 Office of the CIO NASA Headquarters 300 E Street, SW Message Washington, D.C. 20546 3 from the CIO Chief Information Officer Renee Wynn Editor & Publication Manager Eldora Valentine Graphic & Web Designer Michael Porterfield Cybersecurity Copy Editor 4 @Home Meredith Isaacs Don't Let Data IT Talk is an official publication of the Slip Through Office of the Chief Information Officer 6 Your Fingers of the National Aeronautics and Space Administration, Headquarters, Washington, D.C. It is published by the OCIO office for all NASA employees and external audiences. Cybersecurity For distribution questions or to suggest a story idea, email: and You: A Day [email protected] 9 in the Life To read IT Talk online visit: www.nasa.gov/offices/ocio/ittalk For more info on the OCIO: v www.nasa.gov/ocio v inside.nasa.gov/ocio JPL Open (Internal NASA network only) Source Rover v www.nasa.gov/open/ 13 www.facebook.com/NASAcio Message from the NASA CIO All of us need to do our part to ensure that our personal and work online lives are kept safe and secure. Everyone needs to remain diligent about protecting themselves from hackers and privacy breaches. Scammers of all sorts bombard us through pop-ups, viruses, phishing e-mails, and even phone calls. NASA works around the clock to protect mission and corporate systems, Agency data, and sensitive information. And protection of NASA’s data through better management of our IT footprint is a critical step in protecting NASA. Our annual cybersecurity training is intended to reinforce the importance of your role in protecting NASA’s data. National Cybersecurity Awareness Month is an annual designation observed in October. I’m asking everyone to be more cautious and take steps to protect themselves. • Be aware of phishing e-mails and do not click on unfamiliar links. • Do not send classified, sensitive but unclassified, or otherwise confidential information unencrypted through e-mail. • Choose passwords that are strong, long, easy to remember, and hard for others to guess. • Shut down, hibernate, or lock your laptop every night and whenever you take it out of the building. • Lock all mobile items overnight. • Don’t leave devices unattended in public places. • Avoid leaving devices in vehicles for long periods; short-term, they may be locked in trunks. Never leave them exposed in a parked car! • Encrypt all files that contain Personally Identifiable Information (PII). • And on a personal note, when using social networks, use the privacy settings to protect your personal information. We have some great information in this issue to help you protect yourself and your organization against cyber threats. I hope you enjoy reading this quarter’s issue. OCIO and Center CIO leadership visiting Glenn Research Center in Cleveland, OH on August 6-10, 2018. NASA OCIO IT Talk Oct - Dec 2018 3 Cybersecurity@Home By Meredith Isaacs, Communications Specialist, NASA Headquarters Cybersecurity awareness is essen- see a slow device, the collective bot- • Disable “remote access” tial at work and at home—following net can be used to overwhelm a Web on your router and com- online best practices should be part site or servers with requests. Keep plete software updates. of your whole day. But many of us your equipment from participating by do not have cybersecurity experts at protecting all networked devices. • Passwords lacking complex- home to set protections and guard ity and containing dictionary our information from unauthorized Unfortunately, there are a number words are easy to break. Com- access or loss, making our home of ways to be vulnerable at home: plex passwords and pass- networks and devices less secure. Are firewalls enabled? Do you run phrases are stronger. You can Recently, Carl Willis-Ford, Senior antivirus or anti-malware software also use a password manager. Solution Architect for Federal Health on your computer? How many items Systems, shared vulnerabilities and in your home are connected to the • Use whole-disk encryp- tips with NASA employees interested Internet? Where do you download tion for your computer; Win- in improving their home cybersecurity. apps? Do you reuse passwords? dows comes with BitLocker, while Apple has FileVault. Most homes have a number of Internet- According to Willis-Ford, there are sev- connected devices, as well as the eral simple steps you can take to pro- • Update your operating system equipment furnished by your Internet tect your home network and devices. and applications when prompted. service provider (ISP), including home assistants (like Amazon Echo or Google • Change the default Wi-Fi • Be a smart surfer and keep an Home), streaming devices (Roku, router and administrative eye out for potential traps like Chromecast, or Apple TV), appliances account passwords. phishing scams (fraudulent e- (thermostat, refrigerator, or printer), and mails trying to get you to send mobile devices (laptops, smartphones, • Ensure that the WPA2 security personal information or click or tablets). Each has its own cyber- protocol is enabled for Wi-Fi, re- nefarious links), fake deals, security vulnerabilities, in addition to quiring a password to connect. and scareware (phony pop- those from your own Internet activities. ups saying you are infected). • Enable firewalls for comput- For home users, cyber criminals are ers, devices, and routers. Your Follow these simple recommendations most interested in using your device ISP does not need those dis- to step up your home cybersecurity! in a botnet attack. While you may only abled to provide service. NASA Administrator Jim Bridenstine made a special appearance at an Information Technology Council meeting on July 24, 2018. 4 www.nasa.gov Cybersecurity & Cloud Computing By Anthony Flores, John Gordon, and Odom Ouk NASA IT Ops/Cybersecurity Pathway Interns “Nobody understands the cloud; it’s a mystery!” —Jason Segel, Actor Though it is ubiquitous these days, “the What does this mean for you cloud” can still be a concept as disconcert- as a NASA employee? ing in its unseen nature as it is admired for We are happy to inform you that NASA, its proven value. With its ever-increasing like all other Federal agencies, is currently relevance over the past decade, the term now undergoing a large shift toward the use of What To Expect attracts reactions from reverent admiration, cloud-based services. Some of the benefits to eye-rolls, to cautionary tales of anonymous offered by a cloud environment include exploitation. Cloud computing continues to increased agility, security, and scalability. with O365 be a game-changer that can exponentially However, agencies must still be able to identify improve how enterprises operate and pave and apply procedures to secure mission- By Emily Townsend, EUSO Communica- the way for future advances. However, as with critical cloud-based assets in alignment with tions Lead, Marshall Space Flight Center any young technology, it faces a challenge agency policies and compliance consider- in terms of its acceptance within established ations that accompany this cloud shift—the NASA has begun migrating early adopt- enterprises such as NASA—what is it, how cloud and you have a role in this change. ers to Office 365. This migration is im- does it work, and how secure is it really? portant for the agency. It is key to trans- What can I do to operate securely within forming and improving our customer What is the cloud? cloud environments while at work? experience, modernizing our IT systems, The National Institute of Standards and • Only use cloud services that you know and staying up-to-date with industry. Technology (NIST) defines cloud computing are approved for NASA use. If you are O365 provides the Agency with modern, as “a model for enabling convenient, on- not sure, check first with your Cen- innovative, and collaborative technolo- demand network access to a shared pool of ter’s Cybersecurity organization. gy, and allows our customers increased configurable computing resources that can be • Do not use personal cloud accounts mailbox sizes, online storage capabil- rapidly provisioned and released with mini- to store or process NASA data. ities with OneDrive, and larger atten- mal management effort or service provider • Understand the sensitivity of your dance per Skype meeting. interaction.” For instance, Office 365 provides information and do not store or process standard Microsoft Office applications that information using cloud services that Initially, NASA will implement Outlook, can be conveniently accessed in the cloud as are not suitable for the type of informa- Skype, OneNote, and OneDrive (which software as a service (SaaS) applications, re- tion with which you are working. includes personal storage and file sync lieving NASA of much of the burden (capacity • Make sure you fully understand the and share within NASA). In the mean- management, maintenance, etc.) of operat- information provided in the cloud-based time, other parts of Microsoft Office (i.e., ing its own e-mail servers and other related segments of FY 2019’s mandatory an- Word, Excel, Access, and PowerPoint) services, thereby allowing NASA to focus on nual Cybersecurity training—it will help will continue to function as they do to- its core mission: exploration and discovery. you ensure that your cloud use is safe day. Other O365 features, including ad- and NASA interests are protected. ditional collaboration capabilities, will Why do I need to know this? roll out in spring 2019. The increase in security breaches and data Most organizations hold a wealth of sensi- theft has urged business leaders to seek vi- tive information, and the astronomical All NASA e-mail–enabled customers able cybersecurity solutions, one of which is volume of data constantly in transit to the will receive an Office 365 account.