Watchdogs at the Government Accountability Office issued a 53-page report pretty much ripping the space agency’s network security strategy stating that NASA has significant problems protecting the confidentiality, integrity, and availability of the information and variety of networks supporting its mission centres.
Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorised access to its networks and systems. The GAO said NASA did not identify and authenticate users; restrict user access to systems; encrypt network services and data; protect network boundaries; and t and monitor computer-related events. The GAO said NASA networks and systems have been successfully targeted by cyber attacks 1,120 times in the past two years. All of this despite the fact that the agency’s IT budget in fiscal year 2009 was $1.6 billion, of which $15 million was dedicated to IT security, the GAO stated.
Because NASA’s high profile and cutting edge technology makes it an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying. Thus, it is vital that attacks on NASA computer systems and networks are detected, resolved, and reported in a timely fashion and that the agency has effective security controls in place to minimise its vulnerability to such attacks, the GAO stated.
In addition an application for storing and sharing data such as computer-aided design and electrical drawings, and engineering documentation for Ares launch vehicles is being used by 7 agency data centres at 11 locations. Accordingly, effective information security controls are essential to ensuring that sensitive information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure or manipulation, and destruction, the GAO stated.
Some of the issues the GAO found included:
• One centre reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data with information for Hypersonic Wind Tunnel testing for the X-51 scramjet project and possibly personally identifiable information. Another centre reported the theft of a laptop containing thermal models, review documentation, test plans, test reports, and requirements documents pertaining to NASA’s Lunar Reconnaissance Orbiter and James Webb Space Telescope projects. The incident report does not indicate whether this lost data was unencrypted or encrypted or how the incident was resolved. Significantly, these were not isolated incidents since NASA reported 209 incidents of unauthorised access to US-CERT during fiscal years 2007 and 2008.
• NASA did not configure certain systems and networks at two centres to have complex passwords. Specifically, these systems and networks did not always require users to create long passwords. In addition, users did not need passwords to access certain network devices. Furthermore, encrypted password and network configuration files were not adequately protected, and passwords were not encrypted. As a result, increased risk exists that a malicious individual could guess or otherwise obtain user identification and passwords to gain network access to NASA systems and sensitive data.
• Although NASA has implemented cryptography, it was not always sufficient or used in transmitting sensitive information. For example, NASA centres did not always employ a robust encryption algorithm that complied with federal standards to encrypt sensitive information. The three centres we reviewed neither used encryption to protect certain network management connections, nor did they require encryption for authentication to certain internal services. Instead, the centres used unencrypted protocols to manage network devices, such as routers and switches.
• Although NASA had employed controls to segregate sensitive areas of its networks and protect them from intrusion, it did not always adequately control the logical and physical boundaries protecting its information and systems. For example, NASA centres did not adequately protect their workstations and laptops from intrusions through the use of host-based firewalls. Furthermore, firewalls at the centres did not provide adequate protection for the organisation’s networks, since they could be bypassed. In addition, the three centres had an e-mail server that allowed spoofed e-mail messages and potentially harmful attachments to be delivered to NASA. As a result, the hosts on these system networks were at increased risk of compromise or disruption from the other lower security networks.
• One centre was alerted by the NASA SOC in February 2009 about traffic associated with a Seneka Rootkit Bot.22 In this case, NASA found that 82 NASA devices had been communicating with a malicious server since January 2009. A review of the data revealed that most of these devices were communicating with a server in the Ukraine. By March 2009, three centres were also infected with the bot attack.
In the end the GAO made eight recommended actions for he NASA CIO to make including building and implementing comprehensive and physical risk assessments that include mission-related systems and applications and known vulnerabilities identified in the security plans and waivers. The GAO also said to implement an adequate incident detection program to include a consistent definition of an incident, incident roles and responsibilities, resources to operate the program, and business impacts of the incidents.
In response to the GAO report NASA in written comments concurred with the GAO’s recommendations and noted that many of the recommendations are currently being implemented as part of an ongoing strategic effort to improve information technology management and IT security programme deficiencies. Although the IT security posture at NASA has significantly improved over the last three years, NASA recognises there are still significant gaps that will require increased management attention and more time to alleviate, NASA stated.