Earth to NASA...
NASA's security troubles shouldn't surprise you. The signs of trouble were in place when I interviewed one of the agency's IT guys five years ago.
I was working for TechTarget's SearchSecurity.com back then, and was writing a series called "Access (out of) control." As part of the project I interviewed William Likens, chief of application development and technology for NASA's Ames Research Center in Mountain View, Calif.
Likens left the agency shortly after the interview, but at the time we talked he spoke of a decentralized and fragmented network without much interfacing or centralization of systems from one division to the next.
To make matters worse, he told me, he had not seen a groundswell of support among managers to change things. One of the things he said floored me:
"We know when someone employed by NASA has left, but when you are dealing with contractors, it's much harder to know when they are gone," he said. It's a considerable security risk, he said, because people often retain access to systems, sometimes privileged access, after their work at NASA ends. It means orphaned accounts could be exploited not only to gain network access, but also to leverage sensitive network resources.
To be fair, that interview is just a snapshot in time. Likens had also told me about increasing efforts to tighten up access control despite the resistance, and back then you didn't see the paranoia over potential data breaches that you see today.
NASA ramped up its security efforts in the following years, but I always wondered if it would be enough.
Apparently not, according to a report from my colleague Tim Greene over at Network World. He writes:
Six NASA servers exposed to the Internet had critical vulnerabilities that could have endangered Space Shuttle, International Space Station and Hubble Telescope missions -- flaws that would have been found by a security oversight program the agency agreed to last year but hasn't yet implemented, according to a report by the agency's inspector general.
NASA's CIO Linda Cureton says she has patched the vulnerabilities, but IG Paul Martin found that NASA still has no ongoing program for spotting and correcting similar problems as they arise and is giving itself until the end of September just to come up with a plan, according to the report titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack." The deadline for the plan is Sept. 30.
--Bill Brenner
Print
I was working for TechTarget's SearchSecurity.com back then, and was writing a series called "Access (out of) control." As part of the project I interviewed William Likens, chief of application development and technology for NASA's Ames Research Center in Mountain View, Calif.
Likens left the agency shortly after the interview, but at the time we talked he spoke of a decentralized and fragmented network without much interfacing or centralization of systems from one division to the next.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
To make matters worse, he told me, he had not seen a groundswell of support among managers to change things. One of the things he said floored me:
"We know when someone employed by NASA has left, but when you are dealing with contractors, it's much harder to know when they are gone," he said. It's a considerable security risk, he said, because people often retain access to systems, sometimes privileged access, after their work at NASA ends. It means orphaned accounts could be exploited not only to gain network access, but also to leverage sensitive network resources.
To be fair, that interview is just a snapshot in time. Likens had also told me about increasing efforts to tighten up access control despite the resistance, and back then you didn't see the paranoia over potential data breaches that you see today.
NASA ramped up its security efforts in the following years, but I always wondered if it would be enough.
Apparently not, according to a report from my colleague Tim Greene over at Network World. He writes:
Six NASA servers exposed to the Internet had critical vulnerabilities that could have endangered Space Shuttle, International Space Station and Hubble Telescope missions -- flaws that would have been found by a security oversight program the agency agreed to last year but hasn't yet implemented, according to a report by the agency's inspector general.
NASA's CIO Linda Cureton says she has patched the vulnerabilities, but IG Paul Martin found that NASA still has no ongoing program for spotting and correcting similar problems as they arise and is giving itself until the end of September just to come up with a plan, according to the report titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack." The deadline for the plan is Sept. 30.
Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.
Sobering stuff, indeed.
It's fortunate that the inspector general flagged these problems before something tragic happened.
Let's hope the agency gets a handle on its vulnerabilities before it's too late.
--Bill Brenner
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
