NASA audit warns of "catastrophic" consequences from lax information security

The OIG audit found six computer servers on NASA's agency-wide network that control NASA spacecraft and contain critical data had vulnerabilities that could allow a remote attacker to take control of or render them unavailable.

“Moreover, once inside the agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations”, the audit warned.

The OIG also found that attackers could obtain encryption keys, encrypted passwords, and user account information from network servers.

“These deficiencies occurred because NASA had not fully assessed and mitigated risks to its agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected”, the report stressed.

An OIG audit in May 2010 found similar information security problems at the agency. That audit recommended that NASA establish an information security oversight program, a recommendation with which the agency concurred.

The 2011 audit observed that NASA had yet to set up the program. “Until NASA addresses critical deficiencies and improves its IT security practices, the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations, and personnel.”

The OIG recommended that NASA’s chief information officer (CIO) implement the May 2010 recommendations, as well as identify internet-accessible computers on its networks and mitigate the risks posed by these computers and conduct an agency-wide information security risk assessment. NASA CIO Linda Cureton concurred with the recommendations.

In September 2010, an OIG audit found that many of the information security plans of 29 agency and contractor systems at NASA failed to meet IT security requirements of the Federal Information Security Management Act (FISMA). In that audit, the audit recommended establishing an independent verification and validation function to ensure that all FISMA requirements were met by the agency.

What’s hot on Infosecurity Magazine?