SlideShare a Scribd company logo

Inadequate Security Practices Expose Key NASA Network to Cyber Attack

Bill Duncan, profile picture
Bill Duncan

The NASA audit report revealed that inadequate security practices exposed key networks to significant cyber attack risks, specifically identifying high-risk vulnerabilities in servers that control critical spacecraft operations. Despite recommendations for an IT security oversight program made in a previous report, action was slow and the vulnerabilities remained unaddressed, leading to potential severe operational impacts. The report urged NASA to expedite implementing security measures and conduct comprehensive risk assessments to protect its network assets effectively.

News & Politics
Related topics:
IT Security
1 of 24
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
MARCH 28, 2011 AUDIT REPORT OFFICE OF AUDITS INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration REPORT NO. IG-11-017 (ASSIGNMENT NO. A-10-011-00)
Final report released by: Paul K. Martin Inspector General Acronyms FTP File Transfer Protocol IP Internet Protocol IT Information Technology JPL Jet Propulsion Laboratory OA Office of Audits OIG Office of Inspector General VPN Virtual Private Network REPORT NO. NO. IG-11-017
MARCH 28, 2011 OVERVIEW INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK The Issue NASA relies on a series of computer networks to carry out its various missions, including controlling spacecraft like the International Space Station and conducting science missions like the Hubble Telescope. Therefore, it is imperative that NASA protect its computer networks from cyber attacks that could disrupt operations or result in the loss of sensitive data. In this audit, we evaluated whether NASA protected information technology (IT) assets on its Agency-wide mission computer network from Internet-based cyber attacks. Specifically, we assessed whether NASA adequately protected these IT assets from Internet-based attacks by regularly assessing risks and identifying and mitigating vulnerabilities. We also reviewed internal controls as appropriate. Details of the audit’s scope and methodology are in Appendix A. Results We found that computer servers on NASA’s Agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks. These deficiencies occurred because NASA had not fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected. In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network. 1 However, even though the Agency concurred with the recommendation it remained unimplemented as of February 2011. Until NASA addresses these critical deficiencies and improves its IT 1 NASA OIG, “Review of the Information Technology Security of [a NASA Computer Network]” (IG-10-013, May 13, 2010). REPORT NO. IG-11-017
OVERVIEW security practices, the Agency is vulnerable to computer incidents that could have a severe to catastrophic effect on Agency assets, operations, and personnel. Management Action In order to strengthen the Agency’s IT security program, we urge NASA to expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA’s Agency-wide mission network. We also recommend that NASA Mission Directorates (1) immediately identify Internet-accessible computers on their mission networks and take prompt action to mitigate identified risks and (2) continuously monitor Agency mission networks for Internet-accessible computers and take prompt action to mitigate identified risks. Finally, to help ensure that all threats and vulnerabilities to NASA’s IT assets are identified and promptly addressed, we recommend that NASA’s Chief Information Officer, in conjunction with the Mission Directorates, conduct an Agency-wide IT security risk assessment. In response to a draft of this report, the Chief Information Officer and Mission Directorates concurred with our recommendations. The Chief Information Officer stated that she will work with the Mission Directorates and Centers to develop a comprehensive approach to ensure that Internet-accessible computers on NASA’s mission networks are routinely identified, vulnerabilities are continually evaluated, and risks are promptly mitigated by September 30, 2011. In addition, the Chief Information Officer said she will develop and implement a strategy for conducting an Agency-wide risk assessment by August 31, 2011. The full text of NASA’s comments can be found in Appendix B. We consider the Chief Information Officer’s proposed actions to be responsive to our recommendations. Therefore, the recommendations are resolved and will be closed upon verification that management has completed the corrective actions. ii REPORT NO. IG-11-017
MARCH 28, 2011 CONTENTS INTRODUCTION Background _________________________________________ 1 Objectives __________________________________________ 2 RESULTS NASA Did Not Adequately Assess and Mitigate Risks to Its Agency-Wide Mission Computer Network ______________ 3 APPENDIX A Scope and Methodology ________________________________ 9 Review of Internal Controls ____________________________ 10 Prior Coverage ______________________________________ 10 APPENDIX B Management Comments ______________________________ 12 APPENDIX C Report Distribution ___________________________________ 16 REPORT NO. IG-11-017
Inadequate Security Practices Expose Key NASA Network to Cyber Attack
MARCH 28, 2011 INTRODUCTION Background The threat to NASA’s computer networks from Internet-based intrusions is tangible and expanding in both scope and frequency. For example, in May 2009 NASA notified the Office of Inspector General (OIG) of a suspicious computer connection from a system that supports Agency space operations and space exploration activities. The subsequent OIG investigation confirmed that cybercriminals had infected a computer system that supports one of NASA’s mission networks. Due to the inadequate security configurations on the system, the infection caused the computer system to make over 3,000 unauthorized connections to domestic and international Internet protocol (IP) addresses including addresses in China, the Netherlands, Saudi Arabia, and Estonia. 2 In another cyber attack in January 2009, cybercriminals stole 22 gigabytes of export-restricted data from a Jet Propulsion Laboratory (JPL) computer system. The sophistication of both of these Internet-based intrusions confirms that they were focused and sustained efforts to target assets on NASA’s mission computer networks. NASA’s Agency-wide mission network is widely distributed throughout the United States and hosts more than 190 IT systems and projects run by the Agency’s Mission Directorates and JPL. Included in these 190 IT assets are computer systems and projects that control the Hubble Space Telescope, the Space Shuttle, the International Space Station, the Cassini and Lunar Reconnaissance orbiters, and several ground stations and mission control centers. These IT systems and projects, categorized as moderate- and high-impact, control spacecraft, collect and process scientific data, and perform other critical Agency functions. 3 Consequently, a security breach of one of these systems or projects could have a severe to catastrophic adverse effect on NASA operations, assets, or personnel. In order to communicate and share information with external parties, NASA’s Agency- wide mission network is connected to the Internet. NASA uses firewall technology to control access to the network. A firewall is a set of IT resources that separate and protect computer systems and data on an organization’s internal networks from unauthorized 2 An IP address is a unique numerical label assigned to each device (such as a computer or printer) connected to a network that uses the Internet protocol to communicate. An information technology system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 3 In a moderate-impact system, the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. In a high-impact system, such a loss could be expected to have a severe or catastrophic adverse effect. REPORT NO. IG-11-017 1
INTRODUCTION access from an external network, such as the Internet. Specifically, firewalls inspect incoming network traffic and permit or deny requests for access according to an organization’s security policy. Firewalls are only as effective as the rules that security personnel define for them. For example, firewall rules that allow unrestricted access from the Internet to computers on an organization’s internal networks are pathways attackers can use to identify and exploit vulnerabilities on these networks. Accordingly, as part of an enterprise-wide IT security risk assessment, organizations should identify and prioritize the mitigation of vulnerabilities that can be exploited from the Internet. This is especially important when these vulnerabilities are associated with moderate- or high-impact systems because a system breach could severely degrade or even cripple an organization’s ability to operate. Typically, organizations assess their network security posture from within the confines of their own organizational networks and therefore do not always identify computers that are exploitable from the Internet. Computer hackers, however, assess and evaluate potential targets from the outside. Thus, computers that are accessible from the Internet are prime targets for exploitation and are highly sought after by hackers. Objectives We reviewed the firewalls and related computer networking devices that control the flow of network traffic between the Internet and systems on NASA’s Agency-wide mission network to determine whether they are effectively configured to protect NASA IT resources from Internet-based threats. We also reviewed internal controls as appropriate. See Appendix A for details of the audit’s scope and methodology. 2 REPORT NO. IG-11-017
RESULTS NASA DID NOT ADEQUATELY ASSESS AND MITIGATE RISKS TO ITS AGENCY-WIDE MISSION COMPUTER NETWORK We performed vulnerability tests on computer servers connected to NASA’s Agency- wide mission computer network and found six servers that were exploitable from the Internet. These servers were associated with IT projects that control spacecraft or contain critical NASA data. In addition to servers with high-risk vulnerabilities, we also found servers that exposed encryption keys, encrypted passwords, and user account information. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA computer networks. These deficiencies occurred because NASA had not fully assessed and mitigated risks to the network and had not assigned responsibility for IT security oversight to ensure the network was adequately protected. A security breach of a moderate- or high-impact system or project on this key network could severely disrupt NASA operations or result in the loss of sensitive data. Computers on NASA’s Agency-wide Mission Network Could Be Exploited from the Internet NASA computers that are accessible from the Internet are prime targets for exploitation and thus are highly sought after by hackers. To determine the extent to which NASA’s Agency-wide mission network was vulnerable to a cyber attack, we first conducted a test to probe the network for Internet-accessible computers. 4 The test included all IP addresses assigned to the more than 190 IT systems and projects on this network – more than 176,000 in total. At the time of our test, we found that NASA’s Agency-wide mission network had 54 Internet-accessible computer servers associated with 8 IT projects. These servers were associated with moderate- and high-impact NASA IT projects used to control spacecraft or process critical data. We contacted the owner of each project and found that two of the eight projects were scheduled for termination and were disposed of during the audit. 5 We performed vulnerability tests on the six remaining projects to determine if they included computers with high-risk vulnerabilities. Specifically, we used NESSUS®, a network vulnerability scanner, to test each computer for vulnerabilities such as running outdated or unpatched 4 We used Nmap, a widely used software program, to identify Internet-accessible computers. Nmap discovers what hosts (computers) are present on a network and what services (applications such as e-mail or file sharing) those hosts are offering. 5 Disposal means that all computer hardware related to the project was removed from the network and retired. REPORT NO. IG-11-017 3
RESULTS software or offering network services that have known security weaknesses. NESSUS® ranks vulnerabilities as high, medium, or low based on their potential to harm the system. One of the IT projects we reviewed had an Internet-accessible server that was susceptible to a file transfer protocol (FTP) bounce attack – a highly effective form of cyber attack, widely known since 1998. 6 As shown in Figure 1 below, in an FTP bounce attack the attacker connects to and exploits a software flaw in the FTP server (1 and 3). Next, the attacker uses the FTP server as a middle-man to discreetly scan computers positioned behind the firewall for vulnerabilities (2). The scan results are relayed from the FTP server back through the firewall to the attacker (4), and the attacker uses the scan results to exploit other computers on the network, disrupt operations, or steal data. Figure 1: Attacker Exploits Vulnerability to Disrupt NASA Operations or Steal Data Table 1 shows the results of our vulnerability tests for the six NASA projects we evaluated. Specifically, it shows the number of Internet-accessible servers with high-risk vulnerabilities and the total number of servers with high-risk vulnerabilities. We also detected medium- and low-risk vulnerabilities and immediately provided the complete results of our tests to NASA IT security staff. NASA has since remediated all the high- risk vulnerabilities we detected. As the table shows, three of the projects and six computer servers had high-risk vulnerabilities that could allow an Internet-based attacker to take control of the computers or render them unavailable. We also found high-risk vulnerabilities on other computers that were part of these six projects. 6 File transfer protocol is a network protocol commonly used on the Internet to copy files from one computer to another. An FTP bounce attack exploits the FTP protocol when an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle- man for the request. 4 REPORT NO. IG-11-017
RESULTS Table 1. Vulnerability Assessment Results Number of Internet- Number of Servers with Accessible Servers with High-Risk Project High-Risk Vulnerabilities Vulnerabilities 1 0 2 2 0 0 3 0 2 4 2 2 5 3 5 6 1 1 Total 6 12 Once an attacker has exploited a vulnerability on an Internet-accessible computer, the attacker could use the compromised computer as a means to exploit vulnerabilities on other mission network computers. For example, had the bounce attack vulnerability been exploited, a cybercriminal could have significantly disrupted NASA’s space flight operations and stolen sensitive data. Problems with Server Configurations Exposed Sensitive Data We also found that servers associated with the six projects we reviewed were not securely configured and, as a result, sensitive data such as encryption keys, encrypted passwords, and user account lists were exposed to potential attackers. These data are sensitive and can be used to gain unauthorized access to NASA’s Agency-wide mission network. For example, an attacker can use encryption keys to bypass security controls and remotely access a mission network server. 7 Although encrypting passwords prevents the true password from being disclosed in a legible form, an attacker can use one of the many tools available on the Internet to decipher the password through a technique called brute- forcing. 8 After cracking the password, the attacker can then bypass the login mechanism on the related server’s password-protected website and gain access to NASA’s Agency- wide mission network. Finally, one server we reviewed disclosed sensitive account data for all its authorized users. This information could be used by attackers for phishing or sending Agency personnel e-mails containing malicious code to their official NASA e-mail accounts. When the recipient accessed the e-mail, their computer and any sensitive data on it could be compromised. 7 The encryption keys are files used as part of the authentication process for tunneling into an internal network using a VPN (virtual private network) to remotely administer computer servers in the network. 8 Brute-force password cracking is a technique that involves an automated script or program that attempts every possible password combination or uses a dictionary of words until the encrypted password is discovered. REPORT NO. IG-11-017 5
RESULTS NASA Needs to Conduct an Agency-Wide IT Security Risk Assessment Although NASA regularly conducts risk assessments of individual IT systems, the Agency has never completed an Agency-wide risk assessment for its portfolio of IT assets. Agency-wide risk assessments are important because they help ensure that all threats and vulnerabilities are identified and that the greatest risks are promptly addressed. In our judgment, the deficiencies noted above occurred because NASA (1) was unaware of critical risks to its Agency-wide mission network that a comprehensive risk assessment would have brought to light and (2) had not implemented an agreed-upon recommendation to establish an IT security oversight program to ensure that Agency mission networks were adequately protected. As a result, NASA’s Agency- wide mission network was vulnerable to a variety of cyber attacks with the potential for devastating adverse effects on the mission operations the network supports. Until NASA improves its IT security practices by completing a comprehensive IT security risk assessment and implementing our previous recommendation to establish an IT security oversight program, the Agency is vulnerable to computer incidents that could have a severe to catastrophic adverse effect on Agency assets, operations, or personnel. Recommendations, Management’s Response, and Evaluation of Management’s Response To strengthen the Agency’s IT security program, we urged NASA to expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA’s Agency-wide mission network. We also recommended that NASA Mission Directorates take the following actions: Recommendation 1. Immediately identify Internet-accessible computers on their mission computer networks and take prompt action to mitigate identified risks. Recommendation 2. Add as a security control continuous monitoring of their mission computer networks for Internet-accessible computers and take prompt action to mitigate identified risks. Management’s Response. The NASA CIO and Mission Directorates combined Recommendations 1 and 2 and stated that by September 30, 2011, the CIO will work with the Mission Directorates and Centers to develop a comprehensive approach to ensure that Internet-accessible computers on NASA’s mission networks are routinely identified, vulnerabilities are continually evaluated, and risks are promptly mitigated. NASA’s proposed corrective action is an Agency-wide solution and will include analyses of the root cause or causes underlying the findings in this and prior audits; identification of short-term steps that NASA will take to address the audit findings; identification of long- term initiatives to address any identified root cause; and identification of the costs and 6 REPORT NO. IG-11-017
RESULTS resources, tools, procedures, and oversight needed to implement the plan, along with specific milestones and assignments of responsibility and methods for accountability. Evaluation of Management’s Response. We consider the CIO and Mission Directorate proposed actions to be responsive to our recommendations. Further, we commend NASA for extending the corrective actions beyond NASA’s mission networks. The recommendations are resolved and will be closed upon verification that the proposed actions have been completed. The CIO also requested that we reevaluate the security of Internet-accessible computers on NASA’s mission networks within 1 year of the development of NASA’s remediation plan. We agreed and plan to perform a vulnerability assessment of NASA’s mission networks in October 2012 to evaluate the security status of the Agency’s Internet- accessible computers. Finally, we recommended that NASA’s Chief Information Officer in conjunction with the Mission Directorates: Recommendation 3. Conduct an Agency-wide IT security risk assessment of NASA’s mission-related networks and systems in accordance with Federal guidelines and industry best practices. Management’s Response. The CIO and Mission Directorates concurred with our recommendation, stating that NASA will develop and implement a strategy for conducting such a risk assessment with the goals of (1) providing an overall view of the Agency’s information security risk posture and effectiveness of ongoing information security initiatives, particularly on NASA’s mission-related networks and systems, and (2) producing actionable recommendations for improving information security, prioritized by level of risk to the Agency, by August 31, 2011. Evaluation of Management’s Response. We consider the proposed actions to be responsive to our recommendation. Therefore, the recommendation is resolved and will be closed upon verification that the proposed actions have been completed. REPORT NO. IG-11-017 7
Inadequate Security Practices Expose Key NASA Network to Cyber Attack
APPENDIXES APPENDIX A Scope and Methodology We performed our audit from July through February 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform our work to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. To evaluate processes NASA used to control the flow of network traffic between the Internet and systems on NASA’s Agency-wide mission network, we inspected configurations of the firewalls and network gears that control network traffic between the Internet and agency-wide mission network. To identify Internet-accessible servers on 100 percent of the Agency-wide mission network, we used Nmap, a widely used software program, that can be used to discover IT assets that are accessible from the Internet. Based on the results of Nmap scans, we identified eight mission projects (two of which were decommissioned prior to the completion of our audit fieldwork) that had computer servers that were accessible from the Internet. We selected these projects for detailed review. Specifically, we assessed whether NASA has effective processes in place to • protect internal IT assets from external threats, • resume post-disaster operations, and • identify and remediate technical vulnerabilities. We interviewed NASA and contractor staff responsible for the different areas for each project reviewed. We evaluated processes, controls, and tools they used to secure their IT mission assets and mitigate risk. We conducted vulnerability assessments on each of the six IT projects identified to assess NASA’s ability to mitigate technical vulnerabilities. Additionally, we inspected and validated the configurations of the devices that control the flow of network traffic between the Internet and NASA’s mission projects against NASA’s recommended configurations. To evaluate processes NASA used for contingency planning for the Agency-wide mission network, we assessed whether there are effective processes in place to not only restore the network following a disruption but also to maintain network operations throughout the occurrence of a disaster. We also developed questionnaires to interview NASA and REPORT NO. IG-11-017 9
APPENDIX A contractor staff responsible for the restoration of the Agency-wide mission network. We inspected the contingency plans and contingency plan tests for the Agency-wide mission network. Use of Computer-Processed Data. We relied on data produced from a software program to perform discovery scans on the Agency-wide mission network. We used Nmap, a widely accepted open source port scanner, to determine what hosts (computers) are active and which ports on these computers are open or may be open and available on a given network and what services and applications those hosts are offering. We validated the data produced by Nmap by manually connecting to the hosts identified by Nmap as open. We also relied on data produced from a software program to perform vulnerability tests on samples of mission projects connected to the Agency-wide mission network. We used NESSUS®, a commercial network-based vulnerability scanner, to test computers for technical vulnerabilities. We did not validate the data produced by NESSUS® because NESSUS® is widely accepted as a reliable source for providing information related to the presence of technical vulnerabilities in information systems. Review of Internal Controls We reviewed internal controls related to the flow of network traffic between the Internet and systems on NASA’s Agency-wide mission network and contingency planning audit objectives. These included determining whether NASA has policies and procedures in place for performing risk assessments, configuration and vulnerability management, and contingency planning. Prior Coverage During the last 5 years, the NASA Office of Inspector General (OIG) and the Government Accountability Office (GAO) have issued two reports of particular relevance to the subject of this report. Unrestricted reports can be accessed over the Internet at http://oig.nasa.gov/audits/reports/FY11 (NASA OIG) and http://www.gao.gov (GAO). NASA Office of Inspector General “Review of the Information Technology Security of [a NASA Computer Network]” (IG-10-013, May 13, 2010). 10 REPORT NO. IG-11-017
APPENDIX A Government Accountability Office “NASA Needs to Remedy Vulnerabilities in Key Networks” (GAO-10-4, October 15, 2009) REPORT NO. IG-11-017 11
APPENDIX B MANAGEMENT COMMENTS 12 REPORT NO. IG-11-017
APPENDIX B REPORT NO. IG-11-017 13
APPENDIX B 14 REPORT NO. IG-11-017
APPENDIX B REPORT NO. IG-11-017 15
APPENDIX C REPORT DISTRIBUTION National Aeronautics and Space Administration Administrator Deputy Administrator Chief of Staff Chief Information Officer Associate Administrator Aeronautics Research Mission Directorate Associate Administrator Science Mission Directorate Associate Administrator Exploration Systems Mission Directorate Associate Administrator Space Operations Mission Directorate Non-NASA Organizations and Individuals Office of Management and Budget Deputy Associate Director, Energy and Science Division Branch Chief, Science and Space Programs Branch Government Accountability Office Director, NASA Financial Management, Office of Financial Management and Assurance Director, NASA Issues, Office of Acquisition and Sourcing Management Congressional Committees and Subcommittees, Chairman and Ranking Member Senate Committee on Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies Senate Committee on Commerce, Science, and Transportation Subcommittee on Science and Space Senate Committee on Homeland Security and Governmental Affairs House Committee on Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies House Committee on Oversight and Government Reform Subcommittee on Government Organization, Efficiency, and Financial Management House Committee on Science, Space, and Technology Subcommittee on Investigations and Oversight Subcommittee on Space and Aeronautics 16 REPORT NO. IG-11-017
Major Contributors to the Report: Wen Song, Director, Information Technology Directorate Jefferson Gilkeson, Project Manager Eric Jeanmaire, Auditor Morgan Reynolds, Auditor REPORT NO. IG-11-017 17
MARCH 28, 2011 REPORT No. IG-11-017 OFFICE OF AUDITS OFFICE OF INSPECTOR GENERAL ADDITIONAL COPIES Visit http://oig.nasa.gov/audits/reports/FY11/ to obtain additional copies of this report, or contact the Assistant Inspector General for Audits at 202-358-1232. COMMENTS ON THIS REPORT In order to help us improve the quality of our products, if you wish to comment on the quality or usefulness of this report, please send your comments to Mr. Laurence Hawkins, Audit Operations and Quality Assurance Director, at Laurence.B.Hawkins@nasa.gov or call 202-358-1543. SUGGESTIONS FOR FUTURE AUDITS To suggest ideas for or to request future audits, contact the Assistant Inspector General for Audits. Ideas and requests can also be mailed to: Assistant Inspector General for Audits NASA Headquarters Washington, DC 20546-0001 NASA HOTLINE To report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or 800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L’Enfant Plaza Station, Washington, DC 20026, or use http://oig.nasa.gov/hotline.html#form. The identity of each writer and caller can be kept confidential, upon request, to the extent permitted by law.

More Related Content

PDF
Cyber security regulation strictly regulated by nrc feb 2013
Yury Chemerkin
 
PPTX
IRP on a Budget
Sean D. Goodwin
 
PDF
The stuxnet computer worm. harbinger of an emerging warfare capability
Yury Chemerkin
 
PPTX
Advanced persistent threat (apt)
mmubashirkhan
 
PDF
Modern Attack Detection using Intelligent Honeypot
IRJET Journal
 
PPTX
SplunkLive! Customer Presentation – Virtustream
Splunk
 
PDF
Ransomware Threats to the Healthcare Industry
Tim Gurganus
 
PDF
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte
 
Cyber security regulation strictly regulated by nrc feb 2013
Yury Chemerkin
 
IRP on a Budget
Sean D. Goodwin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
Yury Chemerkin
 
Advanced persistent threat (apt)
mmubashirkhan
 
Modern Attack Detection using Intelligent Honeypot
IRJET Journal
 
SplunkLive! Customer Presentation – Virtustream
Splunk
 
Ransomware Threats to the Healthcare Industry
Tim Gurganus
 
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte
 

What's hot (17)

DOCX
Msc dare journal 1
OluwadareOlatunji1
 
PDF
Stuxnet - A weapon of the future
Hardeep Bhurji
 
PDF
A comprehensive study on classification of passive intrusion and extrusion de...
csandit
 
PPTX
Enchaning system effiency through process scanning
sai kiran
 
PDF
A memory symptom based virus detection approach
UltraUploader
 
PDF
Frank Migge It Security Patch Monitoring With Nagios 02
frank4dd
 
PDF
Pileup Flaws: Vulnerabilities in Android Update Make All Android Devices Vuln...
MOBIQUANT TECHNOLOGIES
 
PDF
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
ijcsit
 
PDF
Strategies for Data Leakage Prevention
IRJET Journal
 
PDF
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
IJNSA Journal
 
PDF
Review on Honeypot Security
IRJET Journal
 
PPTX
Critical thinking 2
qnorman
 
ODP
Infosec Workshop - PacINET 2007
Chris Hammond-Thrasher
 
PDF
Security against Web Application Attacks Using Ontology Based Intrusion Detec...
IRJET Journal
 
PDF
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
NoNameCon
 
PDF
20 Security Controls for the Cloud
NetStandard
 
PDF
Defending Industrial Control Systems From Cyberattack
Mountain States Engineering and Controls
 
Msc dare journal 1
OluwadareOlatunji1
 
Stuxnet - A weapon of the future
Hardeep Bhurji
 
A comprehensive study on classification of passive intrusion and extrusion de...
csandit
 
Enchaning system effiency through process scanning
sai kiran
 
A memory symptom based virus detection approach
UltraUploader
 
Frank Migge It Security Patch Monitoring With Nagios 02
frank4dd
 
Pileup Flaws: Vulnerabilities in Android Update Make All Android Devices Vuln...
MOBIQUANT TECHNOLOGIES
 
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
ijcsit
 
Strategies for Data Leakage Prevention
IRJET Journal
 
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
IJNSA Journal
 
Review on Honeypot Security
IRJET Journal
 
Critical thinking 2
qnorman
 
Infosec Workshop - PacINET 2007
Chris Hammond-Thrasher
 
Security against Web Application Attacks Using Ontology Based Intrusion Detec...
IRJET Journal
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
NoNameCon
 
20 Security Controls for the Cloud
NetStandard
 
Defending Industrial Control Systems From Cyberattack
Mountain States Engineering and Controls
 
Ad

Viewers also liked (20)

PDF
Презентация к Годовой расширенной коллегии Минкомсвязи России 2014 года
Victor Gridnev
 
PPT
Celebración ascenso liga FEVB
gemelito
 
PPS
Anuncio censurado de la MTV
cucoalmeria
 
PPS
la elasticidad de la demanda
clasesparaalumnos
 
PPT
Dffy
Deep Deep
 
PPS
Realmente Fascinante
Juan Carlos Fernandez
 
PPS
Murano praia-de-icarai-niteroi
INTERNETONLINE3
 
PPT
15a.Abnormal Early Pregnancies
Deep Deep
 
PPS
Aos Especiais
guest22a884
 
PDF
BBA-Certificate
Miraj Hossan
 
PDF
Conheca Artrite Reumatoide
Flecte
 
PDF
Receitas Sem Leite E Sem Trigo
Bombokado Kado
 
DOCX
Infectious Disease
Deep Deep
 
PDF
Prova ta-tipo-003-120321153738-phpapp01
Glaucio Babo Lopes
 
PDF
Fooding Catalogue
yang Liu
 
PPTX
Apresentação Chá de Cérebro
Alan Lupatini
 
PDF
Expolanka EDP
Ifraz Salih
 
PPTX
Ivan quotes
michellelahti
 
DOCX
Arto lapurra
irakasletaldea
 
PDF
EduPunk - Das kreative Chaos als Strategie?
Martin Ebner
 
Презентация к Годовой расширенной коллегии Минкомсвязи России 2014 года
Victor Gridnev
 
Celebración ascenso liga FEVB
gemelito
 
Anuncio censurado de la MTV
cucoalmeria
 
la elasticidad de la demanda
clasesparaalumnos
 
Dffy
Deep Deep
 
Realmente Fascinante
Juan Carlos Fernandez
 
Murano praia-de-icarai-niteroi
INTERNETONLINE3
 
15a.Abnormal Early Pregnancies
Deep Deep
 
Aos Especiais
guest22a884
 
BBA-Certificate
Miraj Hossan
 
Conheca Artrite Reumatoide
Flecte
 
Receitas Sem Leite E Sem Trigo
Bombokado Kado
 
Infectious Disease
Deep Deep
 
Prova ta-tipo-003-120321153738-phpapp01
Glaucio Babo Lopes
 
Fooding Catalogue
yang Liu
 
Apresentação Chá de Cérebro
Alan Lupatini
 
Expolanka EDP
Ifraz Salih
 
Ivan quotes
michellelahti
 
Arto lapurra
irakasletaldea
 
EduPunk - Das kreative Chaos als Strategie?
Martin Ebner
 
Ad

Similar to Inadequate Security Practices Expose Key NASA Network to Cyber Attack (20)

PDF
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...
Bill Duncan
 
PDF
OIG: Review of NASA's Management and Oversight of Its Information Technology ...
Bill Duncan
 
PDF
NASA OIG Report
Priyanka Aash
 
DOCX
Running head IT SECURITY POLICYIT SECURITY POLICY .docx
charisellington63520
 
PDF
Meeting national security_space_needs_in_the_contested_cyberspace_domain
Darwin Chimbo
 
PDF
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...
Brent Guglielmino
 
PDF
National Security Review
Simoun Ung
 
PDF
Francesca Bosco, Le nuove sfide della cyber security
Andrea Rossetti
 
PDF
Information systems security_awareness_fy10
Wesen Tegegne
 
PPTX
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
NabankemaRukayiyah
 
PPTX
Information Technology Infrastructure Committee (ITIC): Report to the NAC
Larry Smarr
 
PPT
2008: Web Application Security Tutorial
Neil Matatall
 
PPTX
Cybersecurity
National LECET
 
PDF
IG- SpecialReview(12-17-12)
Michael Palinkas
 
PPT
Lecture1 Introduction
rajakhurram
 
PDF
Egypt Cloud Day, May2011-- Information Assurance
Egypt Cloud Forum
 
DOCX
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
alfred4lewis58146
 
PDF
Addressing CIP
Narinrit Prem-apiwathanokul
 
PDF
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
Asad Zaman
 
PPT
Hacking
SUNY Oneonta
 
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...
Bill Duncan
 
OIG: Review of NASA's Management and Oversight of Its Information Technology ...
Bill Duncan
 
NASA OIG Report
Priyanka Aash
 
Running head IT SECURITY POLICYIT SECURITY POLICY .docx
charisellington63520
 
Meeting national security_space_needs_in_the_contested_cyberspace_domain
Darwin Chimbo
 
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...
Brent Guglielmino
 
National Security Review
Simoun Ung
 
Francesca Bosco, Le nuove sfide della cyber security
Andrea Rossetti
 
Information systems security_awareness_fy10
Wesen Tegegne
 
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
NabankemaRukayiyah
 
Information Technology Infrastructure Committee (ITIC): Report to the NAC
Larry Smarr
 
2008: Web Application Security Tutorial
Neil Matatall
 
Cybersecurity
National LECET
 
IG- SpecialReview(12-17-12)
Michael Palinkas
 
Lecture1 Introduction
rajakhurram
 
Egypt Cloud Day, May2011-- Information Assurance
Egypt Cloud Forum
 
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
alfred4lewis58146
 
Addressing CIP
Narinrit Prem-apiwathanokul
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
Asad Zaman
 
Hacking
SUNY Oneonta
 

More from Bill Duncan (20)

PDF
Red Hat Accredited Professional - Red Hat Sales Specialist Infrastructure as ...
Bill Duncan
 
PDF
Ibm bluemix—from idea to application by karim abousedera
Bill Duncan
 
PPTX
IBM Federal Systems Integrator Forum at InterConnect
Bill Duncan
 
PDF
Create software builds with jazz team build
Bill Duncan
 
PDF
How DOORS Helps JPL Get to Mars & Beyond
Bill Duncan
 
PDF
Space Quarterly: September 2011
Bill Duncan
 
PDF
Tutorial: Create a custom work item in Rational Team Concert
Bill Duncan
 
PDF
How to implement access restrictions to your EA artifacts using Rational Syst...
Bill Duncan
 
PDF
Speed delivery of Android devices and applications with model-driven development
Bill Duncan
 
PDF
Optimize load handling for high-volume tests with IBM Rational Performance Te...
Bill Duncan
 
PDF
Improve software development project success with better information
Bill Duncan
 
PDF
Automate document generation from SysML models with Rational Rhapsody Reporte...
Bill Duncan
 
PDF
Automate document generation from sys ml models with rational rhapsody report...
Bill Duncan
 
PDF
Integrate Rational DOORS and Rational Team Concert change management
Bill Duncan
 
PDF
IBM Rational Harmony Deskbook rel 3.1.2
Bill Duncan
 
PDF
Advanced Rational Performance Tester reports
Bill Duncan
 
PDF
Developing service component architecture applications using rational applica...
Bill Duncan
 
PDF
Managing requirements across Analysis and Design phases using System Architec...
Bill Duncan
 
PDF
What's New in Rational Team Concert 3.0
Bill Duncan
 
PDF
Automatic Proactive Troubleshooting with IBM Rational Build Forge
Bill Duncan
 
Red Hat Accredited Professional - Red Hat Sales Specialist Infrastructure as ...
Bill Duncan
 
Ibm bluemix—from idea to application by karim abousedera
Bill Duncan
 
IBM Federal Systems Integrator Forum at InterConnect
Bill Duncan
 
Create software builds with jazz team build
Bill Duncan
 
How DOORS Helps JPL Get to Mars & Beyond
Bill Duncan
 
Space Quarterly: September 2011
Bill Duncan
 
Tutorial: Create a custom work item in Rational Team Concert
Bill Duncan
 
How to implement access restrictions to your EA artifacts using Rational Syst...
Bill Duncan
 
Speed delivery of Android devices and applications with model-driven development
Bill Duncan
 
Optimize load handling for high-volume tests with IBM Rational Performance Te...
Bill Duncan
 
Improve software development project success with better information
Bill Duncan
 
Automate document generation from SysML models with Rational Rhapsody Reporte...
Bill Duncan
 
Automate document generation from sys ml models with rational rhapsody report...
Bill Duncan
 
Integrate Rational DOORS and Rational Team Concert change management
Bill Duncan
 
IBM Rational Harmony Deskbook rel 3.1.2
Bill Duncan
 
Advanced Rational Performance Tester reports
Bill Duncan
 
Developing service component architecture applications using rational applica...
Bill Duncan
 
Managing requirements across Analysis and Design phases using System Architec...
Bill Duncan
 
What's New in Rational Team Concert 3.0
Bill Duncan
 
Automatic Proactive Troubleshooting with IBM Rational Build Forge
Bill Duncan
 

Recently uploaded (20)

PDF
KAL 007 Manual: The Russian Shootdoown of Civilian Plane on 09/01/1983
Ingo Breuer
 
PDF
Supereme Court history functions and reach.pdf
saurabhbed31
 
PDF
2025-07-24_CED-HWB_WIPP_ACO000000001.pdf
StopForeverWipp
 
PPTX
Precised New Precis and Composition 2025.pptx
MuhammadZahid846522
 
PDF
The Most Dynamic Lawyer to Watch 2025.pdf
lawoutlookmagazine
 
PDF
424926802-1987-Constitution-as-Basis-of-Environmental-Laws.pdf
LibresseJeanChavez
 
PDF
Aron Govil on Why America Lacks Skilled Engineers.pdf
New India Abroad
 
PDF
Conflict, Narrative and Media -An Analysis of News on Israel-Palestine Confli...
Md Miraj Hossain
 
DOCX
Breaking Now – Latest Live News Updates from GTV News HD
aawaz institute of media & management sciences
 
PDF
Executive an important link between the legislative and people
SaurabhGautam970232
 
DOC
证书结业SU毕业证,莫道克大学毕业证假学位证
enmytc
 
PDF
JUDICIAL_ACTIVISM_CRITICAL_ANALYSIS in india.pdf
SaurabhGautam970232
 
DOCX
End Of The Age TV Program: Depicting the Actual Truth in a World of Lies
Endtimeministries
 
PPTX
Indian ancient knowledge system, ancient geopolitics
KushalK27
 
PDF
Role of federalism in the indian society
SaurabhGautam970232
 
PDF
05082025_First India Newspaper Jaipur.pdf
FIRST INDIA
 
PPTX
World Wars and International Conflict (FPSC Exams) (MCQs)
sumaira7744
 
PDF
The Blogs_ Hamas’s Deflection Playbook _ Andy Blumenthal _ The Times of Israe...
Andy (Avraham) Blumenthal
 
DOCX
Memecoin news and insights on memecoinist
memecoinist83
 
PPTX
ASEANOPOL: The Multinational Police Force
DebbieArado2
 
KAL 007 Manual: The Russian Shootdoown of Civilian Plane on 09/01/1983
Ingo Breuer
 
Supereme Court history functions and reach.pdf
saurabhbed31
 
2025-07-24_CED-HWB_WIPP_ACO000000001.pdf
StopForeverWipp
 
Precised New Precis and Composition 2025.pptx
MuhammadZahid846522
 
The Most Dynamic Lawyer to Watch 2025.pdf
lawoutlookmagazine
 
424926802-1987-Constitution-as-Basis-of-Environmental-Laws.pdf
LibresseJeanChavez
 
Aron Govil on Why America Lacks Skilled Engineers.pdf
New India Abroad
 
Conflict, Narrative and Media -An Analysis of News on Israel-Palestine Confli...
Md Miraj Hossain
 
Breaking Now – Latest Live News Updates from GTV News HD
aawaz institute of media & management sciences
 
Executive an important link between the legislative and people
SaurabhGautam970232
 
证书结业SU毕业证,莫道克大学毕业证假学位证
enmytc
 
JUDICIAL_ACTIVISM_CRITICAL_ANALYSIS in india.pdf
SaurabhGautam970232
 
End Of The Age TV Program: Depicting the Actual Truth in a World of Lies
Endtimeministries
 
Indian ancient knowledge system, ancient geopolitics
KushalK27
 
Role of federalism in the indian society
SaurabhGautam970232
 
05082025_First India Newspaper Jaipur.pdf
FIRST INDIA
 
World Wars and International Conflict (FPSC Exams) (MCQs)
sumaira7744
 
The Blogs_ Hamas’s Deflection Playbook _ Andy Blumenthal _ The Times of Israe...
Andy (Avraham) Blumenthal
 
Memecoin news and insights on memecoinist
memecoinist83
 
ASEANOPOL: The Multinational Police Force
DebbieArado2
 

Inadequate Security Practices Expose Key NASA Network to Cyber Attack

  • 1. MARCH 28, 2011 AUDIT REPORT OFFICE OF AUDITS INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration REPORT NO. IG-11-017 (ASSIGNMENT NO. A-10-011-00)
  • 2. Final report released by: Paul K. Martin Inspector General Acronyms FTP File Transfer Protocol IP Internet Protocol IT Information Technology JPL Jet Propulsion Laboratory OA Office of Audits OIG Office of Inspector General VPN Virtual Private Network REPORT NO. NO. IG-11-017
  • 3. MARCH 28, 2011 OVERVIEW INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK The Issue NASA relies on a series of computer networks to carry out its various missions, including controlling spacecraft like the International Space Station and conducting science missions like the Hubble Telescope. Therefore, it is imperative that NASA protect its computer networks from cyber attacks that could disrupt operations or result in the loss of sensitive data. In this audit, we evaluated whether NASA protected information technology (IT) assets on its Agency-wide mission computer network from Internet-based cyber attacks. Specifically, we assessed whether NASA adequately protected these IT assets from Internet-based attacks by regularly assessing risks and identifying and mitigating vulnerabilities. We also reviewed internal controls as appropriate. Details of the audit’s scope and methodology are in Appendix A. Results We found that computer servers on NASA’s Agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks. These deficiencies occurred because NASA had not fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected. In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network. 1 However, even though the Agency concurred with the recommendation it remained unimplemented as of February 2011. Until NASA addresses these critical deficiencies and improves its IT 1 NASA OIG, “Review of the Information Technology Security of [a NASA Computer Network]” (IG-10-013, May 13, 2010). REPORT NO. IG-11-017
  • 4. OVERVIEW security practices, the Agency is vulnerable to computer incidents that could have a severe to catastrophic effect on Agency assets, operations, and personnel. Management Action In order to strengthen the Agency’s IT security program, we urge NASA to expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA’s Agency-wide mission network. We also recommend that NASA Mission Directorates (1) immediately identify Internet-accessible computers on their mission networks and take prompt action to mitigate identified risks and (2) continuously monitor Agency mission networks for Internet-accessible computers and take prompt action to mitigate identified risks. Finally, to help ensure that all threats and vulnerabilities to NASA’s IT assets are identified and promptly addressed, we recommend that NASA’s Chief Information Officer, in conjunction with the Mission Directorates, conduct an Agency-wide IT security risk assessment. In response to a draft of this report, the Chief Information Officer and Mission Directorates concurred with our recommendations. The Chief Information Officer stated that she will work with the Mission Directorates and Centers to develop a comprehensive approach to ensure that Internet-accessible computers on NASA’s mission networks are routinely identified, vulnerabilities are continually evaluated, and risks are promptly mitigated by September 30, 2011. In addition, the Chief Information Officer said she will develop and implement a strategy for conducting an Agency-wide risk assessment by August 31, 2011. The full text of NASA’s comments can be found in Appendix B. We consider the Chief Information Officer’s proposed actions to be responsive to our recommendations. Therefore, the recommendations are resolved and will be closed upon verification that management has completed the corrective actions. ii REPORT NO. IG-11-017
  • 5. MARCH 28, 2011 CONTENTS INTRODUCTION Background _________________________________________ 1 Objectives __________________________________________ 2 RESULTS NASA Did Not Adequately Assess and Mitigate Risks to Its Agency-Wide Mission Computer Network ______________ 3 APPENDIX A Scope and Methodology ________________________________ 9 Review of Internal Controls ____________________________ 10 Prior Coverage ______________________________________ 10 APPENDIX B Management Comments ______________________________ 12 APPENDIX C Report Distribution ___________________________________ 16 REPORT NO. IG-11-017
  • 7. MARCH 28, 2011 INTRODUCTION Background The threat to NASA’s computer networks from Internet-based intrusions is tangible and expanding in both scope and frequency. For example, in May 2009 NASA notified the Office of Inspector General (OIG) of a suspicious computer connection from a system that supports Agency space operations and space exploration activities. The subsequent OIG investigation confirmed that cybercriminals had infected a computer system that supports one of NASA’s mission networks. Due to the inadequate security configurations on the system, the infection caused the computer system to make over 3,000 unauthorized connections to domestic and international Internet protocol (IP) addresses including addresses in China, the Netherlands, Saudi Arabia, and Estonia. 2 In another cyber attack in January 2009, cybercriminals stole 22 gigabytes of export-restricted data from a Jet Propulsion Laboratory (JPL) computer system. The sophistication of both of these Internet-based intrusions confirms that they were focused and sustained efforts to target assets on NASA’s mission computer networks. NASA’s Agency-wide mission network is widely distributed throughout the United States and hosts more than 190 IT systems and projects run by the Agency’s Mission Directorates and JPL. Included in these 190 IT assets are computer systems and projects that control the Hubble Space Telescope, the Space Shuttle, the International Space Station, the Cassini and Lunar Reconnaissance orbiters, and several ground stations and mission control centers. These IT systems and projects, categorized as moderate- and high-impact, control spacecraft, collect and process scientific data, and perform other critical Agency functions. 3 Consequently, a security breach of one of these systems or projects could have a severe to catastrophic adverse effect on NASA operations, assets, or personnel. In order to communicate and share information with external parties, NASA’s Agency- wide mission network is connected to the Internet. NASA uses firewall technology to control access to the network. A firewall is a set of IT resources that separate and protect computer systems and data on an organization’s internal networks from unauthorized 2 An IP address is a unique numerical label assigned to each device (such as a computer or printer) connected to a network that uses the Internet protocol to communicate. An information technology system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 3 In a moderate-impact system, the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. In a high-impact system, such a loss could be expected to have a severe or catastrophic adverse effect. REPORT NO. IG-11-017 1
  • 8. INTRODUCTION access from an external network, such as the Internet. Specifically, firewalls inspect incoming network traffic and permit or deny requests for access according to an organization’s security policy. Firewalls are only as effective as the rules that security personnel define for them. For example, firewall rules that allow unrestricted access from the Internet to computers on an organization’s internal networks are pathways attackers can use to identify and exploit vulnerabilities on these networks. Accordingly, as part of an enterprise-wide IT security risk assessment, organizations should identify and prioritize the mitigation of vulnerabilities that can be exploited from the Internet. This is especially important when these vulnerabilities are associated with moderate- or high-impact systems because a system breach could severely degrade or even cripple an organization’s ability to operate. Typically, organizations assess their network security posture from within the confines of their own organizational networks and therefore do not always identify computers that are exploitable from the Internet. Computer hackers, however, assess and evaluate potential targets from the outside. Thus, computers that are accessible from the Internet are prime targets for exploitation and are highly sought after by hackers. Objectives We reviewed the firewalls and related computer networking devices that control the flow of network traffic between the Internet and systems on NASA’s Agency-wide mission network to determine whether they are effectively configured to protect NASA IT resources from Internet-based threats. We also reviewed internal controls as appropriate. See Appendix A for details of the audit’s scope and methodology. 2 REPORT NO. IG-11-017
  • 9. RESULTS NASA DID NOT ADEQUATELY ASSESS AND MITIGATE RISKS TO ITS AGENCY-WIDE MISSION COMPUTER NETWORK We performed vulnerability tests on computer servers connected to NASA’s Agency- wide mission computer network and found six servers that were exploitable from the Internet. These servers were associated with IT projects that control spacecraft or contain critical NASA data. In addition to servers with high-risk vulnerabilities, we also found servers that exposed encryption keys, encrypted passwords, and user account information. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA computer networks. These deficiencies occurred because NASA had not fully assessed and mitigated risks to the network and had not assigned responsibility for IT security oversight to ensure the network was adequately protected. A security breach of a moderate- or high-impact system or project on this key network could severely disrupt NASA operations or result in the loss of sensitive data. Computers on NASA’s Agency-wide Mission Network Could Be Exploited from the Internet NASA computers that are accessible from the Internet are prime targets for exploitation and thus are highly sought after by hackers. To determine the extent to which NASA’s Agency-wide mission network was vulnerable to a cyber attack, we first conducted a test to probe the network for Internet-accessible computers. 4 The test included all IP addresses assigned to the more than 190 IT systems and projects on this network – more than 176,000 in total. At the time of our test, we found that NASA’s Agency-wide mission network had 54 Internet-accessible computer servers associated with 8 IT projects. These servers were associated with moderate- and high-impact NASA IT projects used to control spacecraft or process critical data. We contacted the owner of each project and found that two of the eight projects were scheduled for termination and were disposed of during the audit. 5 We performed vulnerability tests on the six remaining projects to determine if they included computers with high-risk vulnerabilities. Specifically, we used NESSUS®, a network vulnerability scanner, to test each computer for vulnerabilities such as running outdated or unpatched 4 We used Nmap, a widely used software program, to identify Internet-accessible computers. Nmap discovers what hosts (computers) are present on a network and what services (applications such as e-mail or file sharing) those hosts are offering. 5 Disposal means that all computer hardware related to the project was removed from the network and retired. REPORT NO. IG-11-017 3
  • 10. RESULTS software or offering network services that have known security weaknesses. NESSUS® ranks vulnerabilities as high, medium, or low based on their potential to harm the system. One of the IT projects we reviewed had an Internet-accessible server that was susceptible to a file transfer protocol (FTP) bounce attack – a highly effective form of cyber attack, widely known since 1998. 6 As shown in Figure 1 below, in an FTP bounce attack the attacker connects to and exploits a software flaw in the FTP server (1 and 3). Next, the attacker uses the FTP server as a middle-man to discreetly scan computers positioned behind the firewall for vulnerabilities (2). The scan results are relayed from the FTP server back through the firewall to the attacker (4), and the attacker uses the scan results to exploit other computers on the network, disrupt operations, or steal data. Figure 1: Attacker Exploits Vulnerability to Disrupt NASA Operations or Steal Data Table 1 shows the results of our vulnerability tests for the six NASA projects we evaluated. Specifically, it shows the number of Internet-accessible servers with high-risk vulnerabilities and the total number of servers with high-risk vulnerabilities. We also detected medium- and low-risk vulnerabilities and immediately provided the complete results of our tests to NASA IT security staff. NASA has since remediated all the high- risk vulnerabilities we detected. As the table shows, three of the projects and six computer servers had high-risk vulnerabilities that could allow an Internet-based attacker to take control of the computers or render them unavailable. We also found high-risk vulnerabilities on other computers that were part of these six projects. 6 File transfer protocol is a network protocol commonly used on the Internet to copy files from one computer to another. An FTP bounce attack exploits the FTP protocol when an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle- man for the request. 4 REPORT NO. IG-11-017
  • 11. RESULTS Table 1. Vulnerability Assessment Results Number of Internet- Number of Servers with Accessible Servers with High-Risk Project High-Risk Vulnerabilities Vulnerabilities 1 0 2 2 0 0 3 0 2 4 2 2 5 3 5 6 1 1 Total 6 12 Once an attacker has exploited a vulnerability on an Internet-accessible computer, the attacker could use the compromised computer as a means to exploit vulnerabilities on other mission network computers. For example, had the bounce attack vulnerability been exploited, a cybercriminal could have significantly disrupted NASA’s space flight operations and stolen sensitive data. Problems with Server Configurations Exposed Sensitive Data We also found that servers associated with the six projects we reviewed were not securely configured and, as a result, sensitive data such as encryption keys, encrypted passwords, and user account lists were exposed to potential attackers. These data are sensitive and can be used to gain unauthorized access to NASA’s Agency-wide mission network. For example, an attacker can use encryption keys to bypass security controls and remotely access a mission network server. 7 Although encrypting passwords prevents the true password from being disclosed in a legible form, an attacker can use one of the many tools available on the Internet to decipher the password through a technique called brute- forcing. 8 After cracking the password, the attacker can then bypass the login mechanism on the related server’s password-protected website and gain access to NASA’s Agency- wide mission network. Finally, one server we reviewed disclosed sensitive account data for all its authorized users. This information could be used by attackers for phishing or sending Agency personnel e-mails containing malicious code to their official NASA e-mail accounts. When the recipient accessed the e-mail, their computer and any sensitive data on it could be compromised. 7 The encryption keys are files used as part of the authentication process for tunneling into an internal network using a VPN (virtual private network) to remotely administer computer servers in the network. 8 Brute-force password cracking is a technique that involves an automated script or program that attempts every possible password combination or uses a dictionary of words until the encrypted password is discovered. REPORT NO. IG-11-017 5
  • 12. RESULTS NASA Needs to Conduct an Agency-Wide IT Security Risk Assessment Although NASA regularly conducts risk assessments of individual IT systems, the Agency has never completed an Agency-wide risk assessment for its portfolio of IT assets. Agency-wide risk assessments are important because they help ensure that all threats and vulnerabilities are identified and that the greatest risks are promptly addressed. In our judgment, the deficiencies noted above occurred because NASA (1) was unaware of critical risks to its Agency-wide mission network that a comprehensive risk assessment would have brought to light and (2) had not implemented an agreed-upon recommendation to establish an IT security oversight program to ensure that Agency mission networks were adequately protected. As a result, NASA’s Agency- wide mission network was vulnerable to a variety of cyber attacks with the potential for devastating adverse effects on the mission operations the network supports. Until NASA improves its IT security practices by completing a comprehensive IT security risk assessment and implementing our previous recommendation to establish an IT security oversight program, the Agency is vulnerable to computer incidents that could have a severe to catastrophic adverse effect on Agency assets, operations, or personnel. Recommendations, Management’s Response, and Evaluation of Management’s Response To strengthen the Agency’s IT security program, we urged NASA to expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA’s Agency-wide mission network. We also recommended that NASA Mission Directorates take the following actions: Recommendation 1. Immediately identify Internet-accessible computers on their mission computer networks and take prompt action to mitigate identified risks. Recommendation 2. Add as a security control continuous monitoring of their mission computer networks for Internet-accessible computers and take prompt action to mitigate identified risks. Management’s Response. The NASA CIO and Mission Directorates combined Recommendations 1 and 2 and stated that by September 30, 2011, the CIO will work with the Mission Directorates and Centers to develop a comprehensive approach to ensure that Internet-accessible computers on NASA’s mission networks are routinely identified, vulnerabilities are continually evaluated, and risks are promptly mitigated. NASA’s proposed corrective action is an Agency-wide solution and will include analyses of the root cause or causes underlying the findings in this and prior audits; identification of short-term steps that NASA will take to address the audit findings; identification of long- term initiatives to address any identified root cause; and identification of the costs and 6 REPORT NO. IG-11-017
  • 13. RESULTS resources, tools, procedures, and oversight needed to implement the plan, along with specific milestones and assignments of responsibility and methods for accountability. Evaluation of Management’s Response. We consider the CIO and Mission Directorate proposed actions to be responsive to our recommendations. Further, we commend NASA for extending the corrective actions beyond NASA’s mission networks. The recommendations are resolved and will be closed upon verification that the proposed actions have been completed. The CIO also requested that we reevaluate the security of Internet-accessible computers on NASA’s mission networks within 1 year of the development of NASA’s remediation plan. We agreed and plan to perform a vulnerability assessment of NASA’s mission networks in October 2012 to evaluate the security status of the Agency’s Internet- accessible computers. Finally, we recommended that NASA’s Chief Information Officer in conjunction with the Mission Directorates: Recommendation 3. Conduct an Agency-wide IT security risk assessment of NASA’s mission-related networks and systems in accordance with Federal guidelines and industry best practices. Management’s Response. The CIO and Mission Directorates concurred with our recommendation, stating that NASA will develop and implement a strategy for conducting such a risk assessment with the goals of (1) providing an overall view of the Agency’s information security risk posture and effectiveness of ongoing information security initiatives, particularly on NASA’s mission-related networks and systems, and (2) producing actionable recommendations for improving information security, prioritized by level of risk to the Agency, by August 31, 2011. Evaluation of Management’s Response. We consider the proposed actions to be responsive to our recommendation. Therefore, the recommendation is resolved and will be closed upon verification that the proposed actions have been completed. REPORT NO. IG-11-017 7
  • 15. APPENDIXES APPENDIX A Scope and Methodology We performed our audit from July through February 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform our work to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. To evaluate processes NASA used to control the flow of network traffic between the Internet and systems on NASA’s Agency-wide mission network, we inspected configurations of the firewalls and network gears that control network traffic between the Internet and agency-wide mission network. To identify Internet-accessible servers on 100 percent of the Agency-wide mission network, we used Nmap, a widely used software program, that can be used to discover IT assets that are accessible from the Internet. Based on the results of Nmap scans, we identified eight mission projects (two of which were decommissioned prior to the completion of our audit fieldwork) that had computer servers that were accessible from the Internet. We selected these projects for detailed review. Specifically, we assessed whether NASA has effective processes in place to • protect internal IT assets from external threats, • resume post-disaster operations, and • identify and remediate technical vulnerabilities. We interviewed NASA and contractor staff responsible for the different areas for each project reviewed. We evaluated processes, controls, and tools they used to secure their IT mission assets and mitigate risk. We conducted vulnerability assessments on each of the six IT projects identified to assess NASA’s ability to mitigate technical vulnerabilities. Additionally, we inspected and validated the configurations of the devices that control the flow of network traffic between the Internet and NASA’s mission projects against NASA’s recommended configurations. To evaluate processes NASA used for contingency planning for the Agency-wide mission network, we assessed whether there are effective processes in place to not only restore the network following a disruption but also to maintain network operations throughout the occurrence of a disaster. We also developed questionnaires to interview NASA and REPORT NO. IG-11-017 9
  • 16. APPENDIX A contractor staff responsible for the restoration of the Agency-wide mission network. We inspected the contingency plans and contingency plan tests for the Agency-wide mission network. Use of Computer-Processed Data. We relied on data produced from a software program to perform discovery scans on the Agency-wide mission network. We used Nmap, a widely accepted open source port scanner, to determine what hosts (computers) are active and which ports on these computers are open or may be open and available on a given network and what services and applications those hosts are offering. We validated the data produced by Nmap by manually connecting to the hosts identified by Nmap as open. We also relied on data produced from a software program to perform vulnerability tests on samples of mission projects connected to the Agency-wide mission network. We used NESSUS®, a commercial network-based vulnerability scanner, to test computers for technical vulnerabilities. We did not validate the data produced by NESSUS® because NESSUS® is widely accepted as a reliable source for providing information related to the presence of technical vulnerabilities in information systems. Review of Internal Controls We reviewed internal controls related to the flow of network traffic between the Internet and systems on NASA’s Agency-wide mission network and contingency planning audit objectives. These included determining whether NASA has policies and procedures in place for performing risk assessments, configuration and vulnerability management, and contingency planning. Prior Coverage During the last 5 years, the NASA Office of Inspector General (OIG) and the Government Accountability Office (GAO) have issued two reports of particular relevance to the subject of this report. Unrestricted reports can be accessed over the Internet at http://oig.nasa.gov/audits/reports/FY11 (NASA OIG) and http://www.gao.gov (GAO). NASA Office of Inspector General “Review of the Information Technology Security of [a NASA Computer Network]” (IG-10-013, May 13, 2010). 10 REPORT NO. IG-11-017
  • 17. APPENDIX A Government Accountability Office “NASA Needs to Remedy Vulnerabilities in Key Networks” (GAO-10-4, October 15, 2009) REPORT NO. IG-11-017 11
  • 18. APPENDIX B MANAGEMENT COMMENTS 12 REPORT NO. IG-11-017
  • 19. APPENDIX B REPORT NO. IG-11-017 13
  • 20. APPENDIX B 14 REPORT NO. IG-11-017
  • 21. APPENDIX B REPORT NO. IG-11-017 15
  • 22. APPENDIX C REPORT DISTRIBUTION National Aeronautics and Space Administration Administrator Deputy Administrator Chief of Staff Chief Information Officer Associate Administrator Aeronautics Research Mission Directorate Associate Administrator Science Mission Directorate Associate Administrator Exploration Systems Mission Directorate Associate Administrator Space Operations Mission Directorate Non-NASA Organizations and Individuals Office of Management and Budget Deputy Associate Director, Energy and Science Division Branch Chief, Science and Space Programs Branch Government Accountability Office Director, NASA Financial Management, Office of Financial Management and Assurance Director, NASA Issues, Office of Acquisition and Sourcing Management Congressional Committees and Subcommittees, Chairman and Ranking Member Senate Committee on Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies Senate Committee on Commerce, Science, and Transportation Subcommittee on Science and Space Senate Committee on Homeland Security and Governmental Affairs House Committee on Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies House Committee on Oversight and Government Reform Subcommittee on Government Organization, Efficiency, and Financial Management House Committee on Science, Space, and Technology Subcommittee on Investigations and Oversight Subcommittee on Space and Aeronautics 16 REPORT NO. IG-11-017
  • 23. Major Contributors to the Report: Wen Song, Director, Information Technology Directorate Jefferson Gilkeson, Project Manager Eric Jeanmaire, Auditor Morgan Reynolds, Auditor REPORT NO. IG-11-017 17
  • 24. MARCH 28, 2011 REPORT No. IG-11-017 OFFICE OF AUDITS OFFICE OF INSPECTOR GENERAL ADDITIONAL COPIES Visit http://oig.nasa.gov/audits/reports/FY11/ to obtain additional copies of this report, or contact the Assistant Inspector General for Audits at 202-358-1232. COMMENTS ON THIS REPORT In order to help us improve the quality of our products, if you wish to comment on the quality or usefulness of this report, please send your comments to Mr. Laurence Hawkins, Audit Operations and Quality Assurance Director, at Laurence.B.Hawkins@nasa.gov or call 202-358-1543. SUGGESTIONS FOR FUTURE AUDITS To suggest ideas for or to request future audits, contact the Assistant Inspector General for Audits. Ideas and requests can also be mailed to: Assistant Inspector General for Audits NASA Headquarters Washington, DC 20546-0001 NASA HOTLINE To report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or 800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L’Enfant Plaza Station, Washington, DC 20026, or use http://oig.nasa.gov/hotline.html#form. The identity of each writer and caller can be kept confidential, upon request, to the extent permitted by law.