Security gurus from the Government Accountability Office (GAO) has released a 53-page report pretty much ripping the space agency’s network security strategy stating that NASA has significant problems protecting the confidentiality, integrity, and availability of the information and variety of networks supporting its mission centers.
The report gives out facts — NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems.
NASA did not follow all the normal security-practices like authenticating users; restricting user access to systems; Encrypt network data & services; protect network boundaries; and monitor computer-related events… NASA networks and systems have been successfully targeted by cyber attacks 1,120 times in the past two years. All of this despite the fact that the agency’s IT budget in fiscal year 2009 was $1.6 billion, of which $15 million was dedicated to IT security.
NASA relies on computer networks and systems to collect, access, or process a significant amount of data that requires protection, including data considered mission-critical, proprietary, and/or sensitive but unclassified information.
Some of the issues the GAO found included:
• One center reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data.
• NASA did not configure certain systems and networks at two centers to have complex passwords. Specifically, these systems and networks did not always require users to create long passwords.
• Although NASA has implemented cryptography, it was not always sufficient or used in transmitting sensitive information.
• Although NASA had employed controls to segregate sensitive areas of its networks and protect them from intrusion, it did not always adequately control the logical and physical boundaries protecting its information and systems.
• Few other malicious activities with their servers which were in play since months.
In response to the GAO report, NASA many of the recommendations are currently being implemented as part of an ongoing strategic effort to improve information technology management and IT security program deficiencies. Although the IT security posture at NASA has significantly improved over the last three years, NASA recognizes there are still significant gaps that will require increased management attention and more time to alleviate, NASA stated.
The GAO doesn’t like a whole lot it sees at NASA. Just last month it issued another harsh report on the future of the manned space flight program.
Rocket Science with Holes?
This is not the first time NASA has been questioned on security. This brings up a strange Irony: Security is no rocket science, but the guys who do the Real Rocket science are aliens to security. they do big things forgetting the small and the important ones.
What do you think? Where is NASA heading by not caring much on security aspects?