http://www.fcw.com/fcw/articles/2001/0521/web-nasa-05-24-01.asp BY Christopher J. Dorobek 05/24/2001 NASA has improved its security processes since a scathing General Accounting Office report found holes in some of the space agencys mission-critical systems. But NASA still needs to improve the way it scans for potential vulnerabilities, a new audit by the agencys inspector general says. NASA has implemented nearly all of the recommendations from a May 1999 GAO report, which revealed that auditors were able to hack into several systems. Those systems included one responsible for calculating detailed positioning data for Earth-orbiting spacecraft and another that processes and distributes scientific data received from those spacecraft. "Overall, the new policies that NASA established are adequate, but substantial work remains to fully implement them," the IG report stated. The IG report, "Information Technology Security Planning," dated March 30 but released last week, says that NASAs current policies for scanning its computer systems for a limited number of vulnerabilities "do not result in an adequate assessment of the agencys IT system vulnerabilities." "As a result, the IT security risks and metrics that NASA reports to the Congress may understate NASAs IT vulnerabilities and provide undue assurance on the integrity, availability and confidentially of information," according to the report, which has some portions redacted for security reasons. NASA does not use scanning software to detect many types of vulnerabilities, the IG said. The IG makes several recommendations in the report. * NASA should include in its performance plan a description of the time and resources necessary to implement its IT security program. * NASA should develop IT security metrics to cover the requirements of the Office of Management and Budgets requirements. * NASA should select metrics for measuring the performance of its IT security program that ensures they accurately reflect the current risks. * NASA should describe the extent of vulnerability testing used to calculate the IT security metrics that is presented to Congress as part of its annual performance plan. NASA officials concurred with many of the recommendations. The agencys fiscal 2002 performance plan, for example, has been changed to make it clear that only a specified set of vulnerabilities is included in its metrics and that the scanned vulnerabilities may change from quarter to quarter. Agency officials said that for now, it is not possible to "ensure" that the performance measurements accurately reflect NASAs IT security risk. "We have not claimed that the metric does this," NASA chief information officer Lee Holcomb said. "We believe that our current vulnerability testing reflects a balance of effectiveness and cost," he said in a written response to the IG report. He noted, however, that the agency would work with the IGs office to further hone the balance between effective and exhaustive vulnerability testing. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu May 24 2001 - 23:23:04 PDT