[ISN] Auditors: One NASA hack cost $1.5M

From: InfoSec News (alerts@private)
Date: Sun Nov 18 2007 - 23:21:47 PST


http://www.gcn.com/online/vol1_no1/45450-1.html

By Wilson P. Dizard III
GCN.com
11/16/07 

A recent series of intrusions into the Earth Observing System’s networks 
“cost NASA $1.5 million for incident mitigation and cleanup costs 
alone,” said the agency’s inspector general, Robert Cobb, in a memo 
issued Nov. 13.

Those costs came on top of the “operational impact to the agency‘s 
mission, such as the temporary suspension of automated processes,” 
caused by the criminal hack of the networks, Cobb said. The memo was 
addressed to NASA’s administrator and accompanied the IG’s report titled 
“NASA’s Most Serious Management and Performance Challenges.”

“Our criminal investigative efforts over the past five years confirm 
that the threats to NASA’s information are broad in scope, sophisticated 
and sustained,” auditors wrote in the report.

“Even more troubling is that the threats appear to evolve along with new 
technologies and range from low-end hacking to complex attacks aimed at 
some of NASA’s most sensitive data,” the report states.

“In addition, internal and external audits and reviews of the agency’s 
[information technology] security continue to identify systemic 
management and technical and operational control weaknesses,” the report 
states. Those weaknesses menace the confidentiality, integrity and 
availability of the agency’s data and systems.

NASA should protect its computers by launching an “IT security internal 
control program; enhancing intrusion detection and computer forensics 
with incident management analysis; implementing improved NASA network 
security monitoring capabilities; and managing IT asset and [IP] 
addresses,” the report states.

NASA has taken significant actions to curb the hacker threats posed by 
criminals; national military and intelligence forces; and malicious 
vandals, the auditors found. But a shortage of fully trained security 
personnel, poor patch management and haphazard incident response have 
hindered progress, the report states.

However, the hacker risk could pale in comparison to NASA’s tendency to 
be its own worst enemy with regard to financial management and 
procurement practices.

After years of attempting to build a financial management system that 
could span the agency’s 10 centers and deliver timely, accurate 
financial data — a task mastered by much smaller enterprises inside and 
outside government— NASA doesn’t appear close to its goal.

The auditor’s report states that NASA has not mastered double-entry 
accounting — a technology that dates back to the Middle Ages — well 
enough to produce timely, accurate financial statements on a routine 
basis.

The auditors described a NASA accounting approach that might be 
characterized as whimsical or madcap. Officials decide how much of their 
expenditures to allocate to capital accounts only after the 
disbursements have been made, according to the report. They also rely 
heavily on contractors to identify assets the contractors created, 
auditors said.

The multibillion-dollar agency’s retrospective financial management 
method, which resembles that of bankrupt musician Willie Nelson or a 
financially embarrassed starlet with driving issues, resonates with its 
Scarlett O’Hara procurement approach of “I’ll worry about that 
tomorrow,” according to the IG report.

“Given that NASA expends most of its budget through contracts and other 
procurement vehicles, weaknesses in NASA’s acquisition and contracting 
processes pose significant challenges to the agency’s ability to make 
informed investment decisions,” the report states.

The Government Accountability Office first warned that NASA’s inadequate 
methods for tracking acquisition costs and contractors’ activities were 
serious problems 17 years ago.

The agency continues to experience failures in “developing adequate cost 
estimates, managing program costs, and ensuring that NASA is using the 
most advantageous acquisition and procurement strategies and safeguards 
to promote competition in contracting and to maximize the agency’s 
ability to fulfill its missions,” the auditors wrote.



__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Sun Nov 18 2007 - 23:45:38 PST