By Patience Wait
At a time when the public has a heightened awareness of computer
security problems at government agencies, the NASA inspector general
has found that one of the space agency's centers has not put in place
sufficient IT security to protect data and systems from possible
"Weaknesses in these areas could lead to the compromise of the
computer network," the IG found.
The center audited by the IG was not identified, and only a summary of
the report  was released June 2.
According to the report summary, NASA system administrators at the
center did not:
* Periodically review critical firewall audit logs and modems used to
protect the computer network
* Monitor for the use of files and commands with security risks
* Consistently perform system backups
* Meet NASA requirements for storing backup media.
The IG's audit found other problems as well. System administrators
also accessed a key server containing security information without
adequate encryption and did not remove unnecessary services from the
network. Software patches were not installed in a timely manner to fix
security weaknesses in the network servers, and vulnerabilities found
during security scans of the systems were not promptly fixed. Finally,
NASA had no formal policy governing foreign nationals' use of laptops
or other electronic devices while visiting the NASA center or working
"We recommended that the NASA center take actions to improve security
controls over the network, to include developing, implementing, and
enforcing procedures and controls over auditing and monitoring, the
use of software and unnecessary services, the installation of patches,
and system backups," the summary concluded. "We also recommended that
the center develop and implement a formal policy to prohibit foreign
nationals' onsite use of their own laptops and other electronic
Of 13 specific recommendations made by the IG, NASA agreed with nine,
and has already taken or planned corrective actions. The internal
auditors planned follow-up actions on those issues not yet resolved.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.