Experts from the Office of the Inspector General (OIG) are not satisfied.
Their audit of the computer networks on which NASA relies on to carry out its various missions has discovered that despite the recommendations for a consistent security policy and program they made after the previous audit back in May, the agency has yet to apply them.
Equally worrying is the fact that the networks are riddled with vulnerabilities that can be misused by attackers who might want to gain access and take control of critical systems, and that these flaws exist due to unpatched software.
The auditors’ goal was to assess whether NASA adequately protected its IT assets from Internet-based attacks by regularly assessing risks and identifying and mitigating vulnerabilities.
“We found that computer servers on NASA’s Agency-wide mission network had high-risk vulnerabilities that were exploitable from the internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable,” they state in the conclusion of the report.
“Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks.”
Hopefully, the Agency has moved to patch the vulnerabilities before the report was released. Whether or not they will heed the repeated recommendations remains to be seen.