[ISN] Audit finds security weaknesses at NASA center
InfoSec News
isn at c4i.org
Mon Jun 12 04:24:32 EDT 2006
http://www.gcn.com/online/vol1_no1/40990-1.html
By Patience Wait
GCN Staff
06/09/06
At a time when the public has a heightened awareness of computer
security problems at government agencies, the NASA inspector general
has found that one of the space agency's centers has not put in place
sufficient IT security to protect data and systems from possible
compromise.
"Weaknesses in these areas could lead to the compromise of the
computer network," the IG found.
The center audited by the IG was not identified, and only a summary of
the report [1] was released June 2.
According to the report summary, NASA system administrators at the
center did not:
* Periodically review critical firewall audit logs and modems used to
protect the computer network
* Monitor for the use of files and commands with security risks
* Consistently perform system backups
* Meet NASA requirements for storing backup media.
The IG's audit found other problems as well. System administrators
also accessed a key server containing security information without
adequate encryption and did not remove unnecessary services from the
network. Software patches were not installed in a timely manner to fix
security weaknesses in the network servers, and vulnerabilities found
during security scans of the systems were not promptly fixed. Finally,
NASA had no formal policy governing foreign nationals' use of laptops
or other electronic devices while visiting the NASA center or working
onsite.
"We recommended that the NASA center take actions to improve security
controls over the network, to include developing, implementing, and
enforcing procedures and controls over auditing and monitoring, the
use of software and unnecessary services, the installation of patches,
and system backups," the summary concluded. "We also recommended that
the center develop and implement a formal policy to prohibit foreign
nationals' onsite use of their own laptops and other electronic
devices."
Of 13 specific recommendations made by the IG, NASA agreed with nine,
and has already taken or planned corrective actions. The internal
auditors planned follow-up actions on those issues not yet resolved.
[1] http://www.hq.nasa.gov/office/oig/hq/audits/reports/FY06/ig-06-008-summary.pdf
More information about the ISN
mailing list