Audit finds security weaknesses at NASA center
- By Patience Wait
- Jun 09, 2006
At a time when the public has a heightened awareness of computer security problems at government agencies, the NASA inspector general has found that one of the space agency's centers has not put in place sufficient IT security to protect data and systems from possible compromise.
'Weaknesses in these areas could lead to the compromise of the computer network,' the IG found.
The center audited by the IG was not identified, and only a summary of the report
was released June 2.
According to the report summary, NASA system administrators at the center did not:
- Periodically review critical firewall audit logs and modems used to protect the computer network
- Monitor for the use of files and commands with security risks
- Consistently perform system backups
- Meet NASA requirements for storing backup media.<.li>
The IG's audit found other problems as well. System administrators also accessed a key server containing security information without adequate encryption and did not remove unnecessary services from the network. Software patches were not installed in a timely manner to fix security weaknesses in the network servers, and vulnerabilities found during security scans of the systems were not promptly fixed. Finally, NASA had no formal policy governing foreign nationals' use of laptops or other electronic devices while visiting the NASA center or working onsite.
'We recommended that the NASA center take actions to improve security controls over the network, to include developing, implementing, and enforcing procedures and controls over auditing and monitoring, the use of software and unnecessary services, the installation of patches, and system backups,' the summary concluded. 'We also recommended that the center develop and implement a formal policy to prohibit foreign nationals' onsite use of their own laptops and other electronic devices.'
Of 13 specific recommendations made by the IG, NASA agreed with nine, and has already taken or planned corrective actions. The internal auditors planned follow-up actions on those issues not yet resolved.