NASA IT Vulnerable After 1,120 Security Incidents

GAO: Malicious Software Installed on Space Agency Systems

NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008, according to a report issued Thursday by the Government Accountability Office. And, the GAO reports, National Aeronautics and Space Administration systems remain vulnerable despite the establishment of a security operation center last year to deter such incidents.

"The control vulnerabilities and program shortfalls, which GAO identified, collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services," wrote Gregory Wilshusen, GAO's information security issues director, in a report cosigned by GAO Chief Technologist Nabajyoti Barkakati. "They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted."

GAO cited a NASA report that said the number of malicious code attacks - 839 - was the highest experienced by any of the federal agencies, which accounted for more than one-quarter of the total number of malicious code attacks directed at federal agencies in 2007 and 2008. GAO cited an official at the U.S.-CERT as saying NASA's high profile makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.

More...