SAN FRANCISCO, 30 MARCH 2011 - An audit report from the Inspector General for NASA finds that the United States space agency has some serious computer and network security issues that could compromised missions, or even jeopardized lives on missions. How can an agency with the combined superior intellect to put a man on the moon fail at the relatively simple task of just patching a few servers?
The fact that an internal audit would produce a report titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack" is as embarrassing as it is concerning, and it is indicative of the broader issue of network security in general for all organizations. If RSA--which companies rely on for more secure authentication, and Comodo--which organizations rely on for SSL certificates to validate Websites, and NASA--a key United States government agency with crucial confidential data to safeguard--can't manage to lock things down, it leaves IT admins at average organizations shrugging their shoulders wondering what exactly they can do.
I asked some security experts to weigh in for some perspective on the NASA report. Tim 'TK' Keanini, CTO of nCircle, pointed out that security is a process, but it is apparently not a process that has been fine-tuned or received adequate attention at NASA.
Keanini commented, "Process maturity is domain specific and IT security is a 'new' domain to most mature organizations. This is not an excuse, it is just a reality," adding, "I'm certain that if NASA managed IT security with the same level of priority they use for their missions, this situation would not exist and we would be learning from their playbook."
Anup Ghosh, founder and chief scientist for Invincea, noted that events like the recent attacks against HBGary, RSA, and Comodo, and this audit report from NASA might lead IT admins to ask: "If it is happening to organizations like these, can it happen to us?" But, Ghosh says the better question to ask is: "If it is happening to the top security companies, is it happening everywhere?" Ghosh volunteers the answer to that question, saying it is undoubtedly "yes".
Ghosh explains, "If you put a magnifying glass to any network, you're going to find problems, so this is not about NASA as much as it is about the state of network security today. If they weren't found, you'd have to really question the quality of the audit. More importantly, the response from NASA, the Government, and the industry should not just be more penetrate and patch cycles. Rather, the right response is to architect our networks, servers and desktops to be resilient to attacks in the first place."
Randy Abrams, director of technical education at ESET, cautions that talk of endangering space shuttle missions, or crippling the International Space Station make for sensational headlines, but are not really the primary risk. Attackers that would infiltrate NASA servers are most likely interested in flying under the radar and gathering as much sensitive, classified data as possible for as long as possible. Attacks against a space shuttle mission would yield little value, and even less profit.
Sign up for Computerworld eNewsletters.