[ISN] NASA still has security gap

From: William Knowles (wkat_private)
Date: Thu May 24 2001 - 10:40:17 PDT

  • Next message: InfoSec News: "[ISN] Logitech Wireless Mice & Keyboards Can Be Sniffed"

    BY Christopher J. Dorobek 
    NASA has improved its security processes since a scathing General
    Accounting Office report found holes in some of the space agencys
    mission-critical systems. But NASA still needs to improve the way it
    scans for potential vulnerabilities, a new audit by the agencys
    inspector general says.
    NASA has implemented nearly all of the recommendations from a May 1999
    GAO report, which revealed that auditors were able to hack into
    several systems. Those systems included one responsible for
    calculating detailed positioning data for Earth-orbiting spacecraft
    and another that processes and distributes scientific data received
    from those spacecraft.
    "Overall, the new policies that NASA established are adequate, but
    substantial work remains to fully implement them," the IG report
    The IG report, "Information Technology Security Planning," dated March
    30 but released last week, says that NASAs current policies for
    scanning its computer systems for a limited number of vulnerabilities
    "do not result in an adequate assessment of the agencys IT system
    "As a result, the IT security risks and metrics that NASA reports to
    the Congress may understate NASAs IT vulnerabilities and provide undue
    assurance on the integrity, availability and confidentially of
    information," according to the report, which has some portions
    redacted for security reasons.
    NASA does not use scanning software to detect many types of
    vulnerabilities, the IG said.
    The IG makes several recommendations in the report. 
    * NASA should include in its performance plan a description of the
      time and resources necessary to implement its IT security program. 
    * NASA should develop IT security metrics to cover the requirements of
      the Office of Management and Budgets requirements. 
    * NASA should select metrics for measuring the performance of its IT
      security program that ensures they accurately reflect the current
    * NASA should describe the extent of vulnerability testing used to
      calculate the IT security metrics that is presented to Congress as
      part of its annual performance plan. 
    NASA officials concurred with many of the recommendations. The agencys
    fiscal 2002 performance plan, for example, has been changed to make it
    clear that only a specified set of vulnerabilities is included in its
    metrics and that the scanned vulnerabilities may change from quarter
    to quarter.
    Agency officials said that for now, it is not possible to "ensure"
    that the performance measurements accurately reflect NASAs IT security
    risk. "We have not claimed that the metric does this," NASA chief
    information officer Lee Holcomb said.
    "We believe that our current vulnerability testing reflects a balance
    of effectiveness and cost," he said in a written response to the IG
    report. He noted, however, that the agency would work with the IGs
    office to further hone the balance between effective and exhaustive
    vulnerability testing.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu May 24 2001 - 23:23:04 PDT