NASA IT security vulnerability report

NASA seems to be having a lot of problems keeping their IT networks secure. Apparently, they are more porous than Swiss cheese. A report from the GAO (Government accountability Office) states that NASA was hit with more malware than any other federal agency 2007 through 2008.

    Some of the issues highlighted in the report are:

  • NASA suffered 1120 security incidents in 2007 and 2008. These included malicious software and unauthorized access of sensitive information
  • Laptops with unencrypted data on a hypersonic scramjet prototype and documents containing information on NASA’s Lunar Reconnaissance Orbiter and the James Webb Space Telescope
  • 82 NASA computers became part of a Ukraine-based botnet after being infected with rootkits. These devices had been communicating with a malicious server since January 2009
  • Another 86 computers were infected by the Zoneback Trojan, which can disable security software and run other malicious software
  • A number of machines infected with the Coreflood Trojan, which can steal user credentials

While they had documented security controls, they were not implemented consistently. Implementation of access controls, data encryption, password policies, user accounts permissions were all patchy. Among the recommendations provided to improve the security situation was that NASA should patch all systems consistently.

I have written earlier on why identifying breaches is very difficult. In this case, it was compounded by the fact that their internal testing and monitoring was not comprehensive. This means that someone could have stolen information, installed malware or done other malicious things and the organization would not be aware that they had been compromised.

Another point that is mentioned in the report is that security requirements were not written into the contracts that it executed with its vendors. This is something that a lot of even regular commercial sector organizations are insisting on these days.

They were also asked to educate employees on computer and internet security. But the most worrying thing is that NASA is expected remain vulnerable for at least some time. This is because, education takes time. Organizations cannot turn on a dime and NASA is no exception, irrespective of how bright the people there are. The issues here seem to be systemic and once people get into bad habits, it is hard to break them.

The problem is compounded in this case by the fact that NASA deals with some bleeding edge technology that foreign powers (hostile and friendly) would love to lay their hands on. Hopefully, they will assign a very high priority to this and work towards making their networks secure.

The full report can download the report below.
GAO report to congressional committees