NASA audit warns of "catastrophic" consequences from lax information security

The OIG audit found six computer servers on NASA's agency-wide network that control NASA spacecraft and contain critical data had vulnerabilities that could allow a remote attacker to take control of or render them unavailable.

“Moreover, once inside the agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations”, the audit warned.

The OIG also found that attackers could obtain encryption keys, encrypted passwords, and user account information from network servers.

“These deficiencies occurred because NASA had not fully assessed and mitigated risks to its agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected”, the report stressed.

An OIG audit in May 2010 found similar information security problems at the agency. That audit recommended that NASA establish an information security oversight program, a recommendation with which the agency concurred.

The 2011 audit observed that NASA had yet to set up the program. “Until NASA addresses critical deficiencies and improves its IT security practices, the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations, and personnel.”

The OIG recommended that NASA’s chief information officer (CIO) implement the May 2010 recommendations, as well as identify internet-accessible computers on its networks and mitigate the risks posed by these computers and conduct an agency-wide information security risk assessment. NASA CIO Linda Cureton concurred with the recommendations.

In September 2010, an OIG audit found that many of the information security plans of 29 agency and contractor systems at NASA failed to meet IT security requirements of the Federal Information Security Management Act (FISMA). In that audit, the audit recommended establishing an independent verification and validation function to ensure that all FISMA requirements were met by the agency.

NASA audit warns of "catastrophic" consequences from lax information security

You may also like

Nuclear regulator slow in correcting information security vulnerabilities, says audit

IRS continues to drag feet on fixing information security gaps, GAO says

NASA flunks cybersecurity audit

Security Vendors and Their Technology: Working Better, Together

Federal Election Commission Faces Serious Security Failings, with Few Plans to Remedy

What’s hot on Infosecurity Magazine?

Russian Sandworm Group Hit 20 Ukrainian Energy and Water Sites

US Imposes Visa Restrictions on Alleged Spyware Figures

How to Backup and Restore Database in SQL Server

End-to-End Encryption Sparks Concerns Among EU Law Enforcement

Millions of Americans' Data Potentially Exposed in Change Healthcare Hack

Alarming Decline in Cybersecurity Job Postings in the US

North Korean Group Kimsuky Exploits DMARC and Web Beacons

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Russian Sandworm Group Hit 20 Ukrainian Energy and Water Sites

Dependency Confusion Vulnerability Found in Apache Project

Report Suggests 93% of Breaches Lead to Downtime and Data Loss

NIST Unveils New Consortium to Operate National Vulnerability Database

Incident Response: Four Key Cybersecurity Measures to Protect Your Business

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Disinformation Defense: Protecting Businesses from the New Wave of AI-Powered Cyber Threats

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Securing APIs in the Cloud Frontier

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024