An audit report from the Inspector General for NASA finds that the United States space agency has some serious computer and network security issues that could have compromised missions, or even jeopardized lives. How can an agency with the combined superior intellect to put a man on the moon fail at the relatively simple task of just patching a few servers?
The fact that an internal audit would produce a report titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack" is as embarrassing as it is concerning, and it is indicative of the broader issue of network security in general for all organizations. If RSA--which companies rely on for more secure authentication, and Comodo--which organizations rely on for SSL certificates to validate Websites, and NASA--a key United States government agency with crucial confidential data to safeguard--can't manage to lock things down, it leaves IT admins at average organizations shrugging their shoulders wondering what exactly they can do.
I asked some security experts to weigh in for some perspective on the NASA report. Tim 'TK' Keanini, CTO of nCircle, pointed out that security is a process, but it is apparently not a process that has been fine-tuned or received adequate attention at NASA.
Keanini commented, "Process maturity is domain specific and IT security is a ‘new' domain to most mature organizations. This is not an excuse, it is just a reality," adding, "I'm certain that if NASA managed IT security with the same level of priority they use for their missions, this situation would not exist and we would be learning from their playbook."
Anup Ghosh, founder and chief scientist for Invincea, noted that events like the recent attacks against HBGary, RSA, and Comodo, and this audit report from NASA might lead IT admins to ask: "If it is happening to organizations like these, can it happen to us?" But, Ghosh says the better question to ask is: "If it is happening to the top security companies, is it happening everywhere?" Ghosh volunteers the answer to that question, saying it is undoubtedly "yes".
Ghosh explains, "If you put a magnifying glass to any network, you're going to find problems, so this is not about NASA as much as it is about the state of network security today. If they weren't found, you'd have to really question the quality of the audit. More importantly, the response from NASA, the Government, and the industry should not just be more penetrate and patch cycles. Rather, the right response is to architect our networks, servers and desktops to be resilient to attacks in the first place."
Randy Abrams, director of technical education at ESET, cautions that talk of endangering space shuttle missions, or crippling the International Space Station make for sensational headlines, but are not really the primary risk. Attackers that would infiltrate NASA servers are most likely interested in flying under the radar and gathering as much sensitive, classified data as possible for as long as possible. Attacks against a space shuttle mission would yield little value, and even less profit.
Abrams says, "It's far too easy to get lost in the hype of the shuttle crashing or the space station shutting down when the real risk is to classified data and government systems."
We'll sum up with some thoughts from Oliver Lavery, director of security research and development for nCircle. Lavery explains that organizations today are faced with the challenge of securing an increasingly diverse and ethereal network, and protecting a skyrocketing amount of data.
Lavery states, "The failure of the security program here is probably not technical, it's more likely a lack of proper threat modeling, asset classification, and triage processes. The real challenge for massive organizations is ensuring that security efforts get the most bang for every buck."
So, Houston, we do, in fact, have a problem--but, don't panic. Look beyond the sensationalism of terrorist attacks against shuttle missions, and focus on the real issues uncovered by the NASA audit report. What we can learn from NASA is that security is a process, not an event, and that organizations should be as diligent as possible in proactively identifying and resolving--or at least mitigating--issues which expose the network to risk.