NASA still falling short on IT security

A review by a NASA inspector general finds the space agency needs to improve

Unencrypted laptops, unpatched software and advanced attacks from hackers are putting US technical know-how at risk if NASA doesn't take a stronger IT security stance, according to a report released by the agency's inspector general.

NASA is a regular target of cyber attacks due to its more than 550 systems that house "information highly sought after by criminals," wrote NASA Inspector General Paul K. Martin.

Martin's testimony before a subcommittee of the House Committee on Science, Space and Technology summarized previous Inspector General audits of NASA IT security and made recommendations for the space agency.

NASA reported 5408 computer security incidents in 2010 and 2011 that resulted in either malicious software installed on its systems or unauthorized intrusions, Martin wrote.

The resulting theft of export-controlled data and other information cost the agency more than US$7 million, Martin wrote.

"NASA needs to improve agency-wide oversight of the full range of its IT assets," he wrote.

One problem area: laptops. As of the beginning of this month, only 1 per cent of NASA's laptops and portable devices were encrypted. Between April 2009 and April 2011, 48 mobile computing devices with sensitive data were stolen or lost, the report said.

In another area of weakness, only 24 per cent of applicable computers on a mission network were monitored for critical software patches, the report said. Only 62 per cent were monitored for technical vulnerabilities, according to an Inspector General audit from May 2010.

In fiscal 2011, NASA was also targeted by 47 "advance persistent threats", or cyber attacks that seek to steal data while being undetected for a long period of time.

Thirteen of those attacks successfully compromised agency computers, Martin wrote. In one of those attacks, intruders stole credentials of more than 150 NASA employees, which could have been used to gain access to NASA systems.

Another attack, which originated from Chinese-based Internet Protocol (IP) addresses, targeted the Jet Propulsion Laboratory. In that attack, the intruders "gained full access to key JPL systems and sensitive user accounts."

"The attackers had full functional control over these networks," the report said.

In another area, auditors found that NASA failed to properly erase computers used for the Space Shuttle program before offering the machines for sale.

Investigators discovered "excessed hard drives in an unsecured dumpster accessible to the public at one center," the report said.

Register now for the ARN Security Forum 2013 on June 4 at the Sydney Mint

More about: ASA, etwork, NASA, Shuttle, Technology

Comments

Merlin

1

Unbelievable!
Maybe UN encrypted laptops are not a good idea.
It just infuriates me to know that we can not get our intellectual resource to support some common sence.
We need to demand that this does not ever happen again!
I do not think that is to much to expect!
Also this should have more news coverage than Whitney did.

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/adimex/2013-04-08_501_atto-sas-h680-cable-bundle
Adimex

ATTO SAS H680 + Cable Bundle

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.