National Aeronautics and Space Administration is the first institute of its kind in the world that has been putting its efforts in the exploration about the world and the universe that we are living in. The organization has been successful in visiting the moon and other planets in order to collect data and try to find out the sign of life to know if the existence is possible out of this world or not. However, the organization has also been working on exploring the universe and applying its diverse knowledge to enlighten the humanity with its finding. The vision of the organization is to find out the hidden realities of the universe and to be the first one in doing so (NASA, 2011)s. The organization has a core mission to advice in science, technology, and exploration with the utilization of knowledge and experience in the relevant field. Everything for the organization is knowledge and information that it has gathered and explored through hard work of decades in the field with the expenditure of millions. The most important asset for NASA is its information that is preserved in the computer systems connected through networks. NASA has been one of the most important organizations in the world has vulnerabilities in its information security systems that is a serious threat to the authenticity of the information and its safety. In this report, we will consider the weaknesses in the information security system of NASA highlighted by GOA that conducted on three centers of NASA. It seems that the organization has most of the security practices ready but did not implement to ensure the security of the information and save the organization from outside attacks that were alarming in the year 2009. There have been different kinds of attacks on the information system of the organization, and the organization has also lost important information as well. First, we will see what are the weak areas of the organization that need to be secured immediately, then in the later part, we will see how those weaknesses can be minimized or eliminated totally to ensure the security of the information systems. As the number of internet users is increasing in the world, the threat to the information is also increasing rapidly. Such known organizations like NASA are the prime focus of most of the hackers, this calls for the improved security systems and practices of the organizations.
NASA System and Network Security
NASA is well aware of all the information security systems for the organization and some of them are implemented in its best possible form as well. Some of the practices are implemented but not all practices and policies and procedures are in place as required. This report shows that three centers of NASA were tested for the security programs implemented to ensure if the systems are free from vulnerabilities or not, and the results were astonishing and totally opposite to our expectations. The basic weaknesses in these centers were that some of the basic security protocols were not implemented in their best forms like user controls including, user accounts, passwords, appropriate access rights, permission and the encryption of the sensitive information. Moreover, the data was stored without encryption that is also alarming as the information is vulnerable. Another security practice that was missing in these centers was, there was no audit for information security system to know new vulnerabilities and find out their solution. This led to the absence of monitoring of information security system.
Shortcomings in NASA Information Security Program
There is number of shortcomings in the security system of NASA. The policy and the procedures related to the security within the organization were missing that could highlight how the security measures should be implemented and how to face the attacks (GAO, 2009). The organization had security plans but the key information that was important was missing from those plans like there was no plan for malware incident handling and no roles were defined for incident response plan. There was no contingency plan for the security measures, and there was no track about the plan that was meant for the security of information system. A major missing component was the risk assessment from the organization’s plan as it is important for organizations according to FIPS publication 199. The security was implemented in general in NASA and when it was reported that risk assessment was implemented in 13 buildings out of 24 buildings of the organization, the representative of organization reported that it may be held in the past but no reports were produced regarding those assessments (GAO, 2009). NASA has conducted some of the tests regarding the security systems, however, those tests were not comprehensive. There were remedial actions for some threats, but those actions were not tracked as well.
Attacks on NASA Security Program
NASA has gone a huge number of attacks in the past years like 2007-2008. It is reported that 1120 security incidents recorded that included the denial of access, unauthorized user access, scans, malicious code and improper usage. In October 2007, there were 86 incidents recorded related to Zonekar trojan attacks on the network. In 2008 several hosts were infected Coreflood trojan. In 2009, a laptop was missing of NASA that recorded leak of more than 3000 sensitive information. The theft of the laptop was recording from other centers as well. Another incident was recorded in February 2009, the vulnerability was detected, after tracing that vulnerability, it was known that the network of the organization was being used from January 2009 (GAO, 2009). The same year recorded 209 incidents of unauthorized access to the network.
Key Reasons for weaknesses in NASA Information Security Program
As there were weaknesses in the information security system of the organization, the reasons were highlighted that were the cause of vulnerabilities. The main reason for most of the weaknesses in the organization was control access to the information resource was not adequately implemented that provided number of loopholes to the unauthorized persons to gain access to the information. The areas of the control access to information included identification and authorization of the user, grant of access to the users, boundary protection of the resources, cryptography of the information stored, audit and monitoring of the security policies and the physical security of the resources containing the information. There was no much restriction to the sensitive information or privacy about the authentication information like username, while there were some shared group user IDs. The networks were also not restricted.
There was no encryption of the information being transferred using the network devices however NSA recommends the cryptography for the transfer of information. Moreover, OBM is in favor of encryption of all types of data for an organization like NASA. There was no such implementation in NASA like encryption of information, even the networks were being managed using unencrypted protocols. NASA has highlighted that what information was sensitive or what resources were important, but did not provide boundary protection to such resources, like workstations or laptops. Even there was no protection for the intrusion through the host-based firewall. Another drawback is the security systems that was a weakness in the system is that monitoring of the system was not comprehensive. NIST recommends that there must be a routine scan to check vulnerability, especially to the systems that are connected to the internet. NIST also recommends that there should be source code review of the installed application and the databases should be audited as well. While in NASA the databases were not configured that they could be audited and the source code was also not reviewed.
There were also weaknesses in the control of the organizations and the employees. There was inadequate segregation of the duties, like considering the only person to take care of all the operations, that is not ideal for such an organization and it will create more errors in the system. Another shortcoming in the system was about the identification of the installed packages after the identification of a vulnerability in the system. NASA did not implement the full security program agency-wide.
Recommendation for NASA Security Plan
There is need to take some immediate actions in order to enhance the security plan of the organization like there must be an appropriate risk assessment considering the known vulnerabilities in the plan. Key information should be included in the plan like risk assessment, and develop policies for role distribution during incident handling and conducting comprehensive security tests. The contingency plans should be updated on regular basis and the incident detection plan should be planned as well considering the key information and incident handling.
This reports revealed that the organization contains most important information but lacks most of the security practices that can make the organization vulnerable to attacks. All of the weaknesses were highlighted with the report by GOA and those weak areas can be worked on in order to ensure the security of the information of the organization by taking appropriate actions and implemented the plans. It shows that organizations need to focus on the risk assessment and the security of its information systems. A continuous testing and comprehensive monitoring of security program is the best way to ensure the security of the organization information. The attacks on NASA may be because it is one of the most prominent organization in the world that required more updated and enhanced the security of the information system and programs.
|Security Area||Responsible Party / Office of Primary Responsibility (OPR)||Known Vulnerabilities / Risks||Countermeasures / Risk Mitigation Strategy|
|Acquisition (systems/services)||Boundary System Protection||Intrusion to systems connected to internet||Adequate protection to network|
|Asset management||Duty Segregation||Fraudulent transactions||Distribution of tasks among two or more groups and individuals|
|Audit and accountability||Information security planning||Unnoticed attacks on network and systems||Proper routine audit and monitoring of systems|
|Authentication and authorization||System administrator||Unauthorized access to systems and sensitive data||Adequate authentication and authorization procedures|
|Business Continuity||Business Continuity Management||Access to server rooms||Restrict access to relevant areas|
|Compliance management||Center Chief Information Officer||Systems connected to internet||Review of source code of installed programs|
|Configuration control||System Configuration||Attacks on database||Monitoring of security patches|
|Data||Information security||Loss of Data||Adequate authentication and authorization|
|Hardware||Physical Security||Unauthorized access to sensitive information||Revise physical security policy|
|Identity management||Chief Information Officer||Leakage of access information to system||Limit credentials for accessing the systems|
|Incident management||Incident Response Management||Loss of data during vulnerability||Proper assigning of role-playing during incident|
|Maintenance procedures||Information Management||Chances of data loss||Routine maintenance check|
|Media protection and destruction||Physical security||Theft of Laptop of other media||Improve physical security in centers|
|Network||Network Security||Intrusion to the network||Manage network through encrypted protocol|
|Planning||Planning of security||Damages to the information||Implements NIST procedures|
|Personnel||Human Resource Management||Leakage of credentials or information||Proper background check before hiring|
|Physical environment||Security||Unauthorized access to restricted areas||Limit access to relevant areas|
|Policy||Chief information Officer||Inadequate security practices||Including key information in the security plan|
|Operations||Information Security Framework||Security flaws||Manage operations following OBM guideline|
|Outsourcing||HR management||Access to information||Encryption of all information and data|
|Risk assessments||Incident Response Management||Damages can be unstoppable||Risk assessments of known vulnerabilities|
|Software||Information Security Office||Vulnerability and access to network||Review of source code|
|Training||HR Department||Actions leading to vulnerability||Proper training regarding relevant department|
Canada, G. o. (2014, 10 30). Information Management and Information Protection Glossary of Terms. Retrieved from Office of the Chief Information Officer: http://www.ocio.gov.nl.ca/ocio/im/glossary.html#Compliance
Columbia, B. (2015). Recorded Information Management (RIM) Glossary. Retrieved from British Columbia: http://www.gov.bc.ca/citz/iao/records_mgmt/policy_standards/rim_manual/glossary.html
GAO. (2009). NASA Needs to Remedy Vulnerabilities in Key Networks. Washington: GAO.
NASA. (2011). 2011 NASA Strategic Plan. Washington: National Aeronautics and Space Administration.