On Metacritic: Dante's Inferno: Not as good as we hoped
BNET Business Network:
BNET
TechRepublic
ZDNet

October 20th, 2009

GAO report: NASA at 'high risk' of data breach

Posted by Ryan Naraine @ 5:29 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Complex Attacks, Data theft, Exploit code, Locally Running Web Servers, Passwords, Patch Watch, Pen testing, Punditocracy, Responsible disclosure

Tags: NASA, General Accounting Office, Audior, Security, Strategy, Management, Ryan Naraine

The U.S. Government Accountability Office (GAO) has painted a bleak picture of the NASA’s IT security posture.

An audit of the space agency’s computer systems found weaknesses in several critical areas, especially in the way NASA implemented access controls like user accounts, passwords and the encryption of sensitive data.

Here’s the gist of the GAO audit findings:

[NASA] did not always sufficiently identify and authenticate users, restrict user access to systems, encrypt network services and data, protect network boundaries, audit and  monitor computer-related events, and physically protect its information technology resources. In addition, weaknesses existed in other controls to appropriately segregate incompatible duties and manage system configurations and implement patches. A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively.

Specifically, it has not always fully assessed information security risks; fully developed and documented security policies and procedures; included key information in security plans; conducted comprehensive tests and evaluation of its information system controls; tracked the status of plans to remedy known weaknesses; planned for contingencies and disruptions in service; maintained capabilities to detect, report, and respond to security incidents; and incorporated important security requirements in its contract with the Jet Propulsion Laboratory.

The auditors warned that highly sensitive personal, scientific, and other data were at an “increased risk” of unauthorized use, modification, or disclosure.

The scathing report comes on the heels of hacking incidents that have haunted NASA, an independent government agency that manages aviation and space flight.   Between 2007 and 2008, NASA reported
1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information.

* Here’s the GAO report [PDF]

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 10 Talkback(s)
RE: GAO report: NASA at 'high risk' of data breach
Meh, I prob should not have posted that. I thought it would be moderated. That's definitely too much detail. Can a mod delete my last post?... (Read the rest)
Posted by: ThePhilosopher Posted on: 10/26/09 You are currently: a Guest | | Terms of Use
What kind of 'sensitive data' would they have?  Lerianis10 | 10/20/09
I would say....  daMan25 | 10/20/09
Much of what they develop and learn  GuidingLight | 10/20/09
They know where the aliens are kept.  James T. Kirk | 10/20/09
That's great!  macadam | 10/20/09
Well...  zkiwi | 10/20/09
STS-53 for example  bearlyworking | 10/20/09
RE: GAO report: NASA at 'high risk' of data breach  seannj427 | 10/20/09
RE: GAO report: NASA at 'high risk' of data breach  ThePhilosopher | 10/26/09
RE: GAO report: NASA at 'high risk' of data breach  ThePhilosopher | 10/26/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here