NASA still has security gap

[William Knowles <wk () c4i org>]

http://www.fcw.com/fcw/articles/2001/0521/web-nasa-05-24-01.asp

BY Christopher J. Dorobek 
05/24/2001 

NASA has improved its security processes since a scathing General
Accounting Office report found holes in some of the space agencys
mission-critical systems. But NASA still needs to improve the way it
scans for potential vulnerabilities, a new audit by the agencys
inspector general says.

NASA has implemented nearly all of the recommendations from a May 1999
GAO report, which revealed that auditors were able to hack into
several systems. Those systems included one responsible for
calculating detailed positioning data for Earth-orbiting spacecraft
and another that processes and distributes scientific data received
from those spacecraft.

"Overall, the new policies that NASA established are adequate, but
substantial work remains to fully implement them," the IG report
stated.

The IG report, "Information Technology Security Planning," dated March
30 but released last week, says that NASAs current policies for
scanning its computer systems for a limited number of vulnerabilities
"do not result in an adequate assessment of the agencys IT system
vulnerabilities."

"As a result, the IT security risks and metrics that NASA reports to
the Congress may understate NASAs IT vulnerabilities and provide undue
assurance on the integrity, availability and confidentially of
information," according to the report, which has some portions
redacted for security reasons.

NASA does not use scanning software to detect many types of
vulnerabilities, the IG said.

The IG makes several recommendations in the report. 

* NASA should include in its performance plan a description of the
  time and resources necessary to implement its IT security program. 

* NASA should develop IT security metrics to cover the requirements of
  the Office of Management and Budgets requirements. 

* NASA should select metrics for measuring the performance of its IT
  security program that ensures they accurately reflect the current
  risks. 

* NASA should describe the extent of vulnerability testing used to
  calculate the IT security metrics that is presented to Congress as
  part of its annual performance plan. 

NASA officials concurred with many of the recommendations. The agencys
fiscal 2002 performance plan, for example, has been changed to make it
clear that only a specified set of vulnerabilities is included in its
metrics and that the scanned vulnerabilities may change from quarter
to quarter.

Agency officials said that for now, it is not possible to "ensure"
that the performance measurements accurately reflect NASAs IT security
risk. "We have not claimed that the metric does this," NASA chief
information officer Lee Holcomb said.

"We believe that our current vulnerability testing reflects a balance
of effectiveness and cost," he said in a written response to the IG
report. He noted, however, that the agency would work with the IGs
office to further hone the balance between effective and exhaustive
vulnerability testing.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.