Tuesday, April 5, 2011

NASA Found Guilty of Sucking at Security!!!

On March 28, 2011 the Inspector General for NASA published a report detailing the  "Inadequate Security Practices" observed on NASA critical networks. The highlights include the following:
- Six Internet facing servers had critical vulnerabilities
- Exposed encryption keys
- Encrypted passwords
- User-account information 

I understand that vulnerability scanning and patching across a large enterprise can be a difficult task. Most government installations have a difficult time maintaining and managing their assets. I get it. But what is inexcusable is that this could have endangered "various missions, including controlling spacecraft like the International Space Station and conducting science missions like the Hubble Telescope." But wait, it gets worse! These flaws could have been prevented and "occurred because NASA had not fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected." This was something that was brought to their attention in May 2010!

Linda Y. Cureton, NASA CIO
NASA you've gone too far this time! In the days of APT and countless waves of spear phishing campaigns I cannot believe there are agencies out there who still don't have active vulnerability discovery and patching programs. NASA, there is no excuse for failing this miserably! Can somebody please get this organization some help?

2 comments:

  1. I probably already know the answer to this, but I'd imagine the odds that the point regarding the Internet facing services with critical vulns were NOT examined for signs of compromise are high.

    We patch, but don't take the time to examine our exposure time and see if anyone else noticed the hole.

    ReplyDelete
  2. Great point -1. If NASA doesn't have the ability to discover/patch patch their systems it's a safe bet they aren't proactively looking for compromises either :-(

    ReplyDelete