![]() NASA concurs with nine of the ten, giving estimated completion dates ranging from Jthrough to January 15, 2020. Wynn, NASA chief information officer, and Marcus Watkins, director of the NASA management office, address ten recommendations made in the audit report. In a letter dated June 13 to the assistant inspector general for audits, Renee P. In response to my request for a comment on this story, Karen Northon from NASA headquarters referred me to the agency's response in the audit report. I have contacted NASA for a comment and will update the story should one be forthcoming. ![]() Thornton-Trump's comments resonate with the conclusion of the audit report which states: "the inability to protect against cyberattacks in general and advanced persistent threats in particular places the Agency's status as a global leader in space exploration and aeronautics research at risk." "You can't simply turn Russia off at the firewall, for example, when you are partnered with Russia," Thornton-Trump concludes, "it's almost mission impossible for NASA from an infosecurity point of view." "Imagine trying to do cybersecurity focused on advanced threat actors when many of the members of the scientific community work in those adversarial countries," Ian Thornton-Trump, head of security at AmTrust International, says. ![]() Scientists tend to default to collaboration after all. The somewhat huge challenge that NASA faces from the cybersecurity perspective shouldn't be underestimated though. In fact, the report itself states that: "in spite of its efforts to protect these assets, critical vulnerabilities remain that place JPL at risk of cyber intrusions resulting in the theft of critical information." "Many purely associate them with space related activities," Thompson explains, "but their depth of research and development includes patents covering cutting edge science that nation states would literally kill for." John Opdenakker, an ethical hacker, admitted in conversation this afternoon that "hackers might still be in their network, without them even knowing," and pondered why the audit report was published now when there is no confirmation that all the problems have been fixed in the meantime. System administrators lacked security certifications, no role-based security training was in place and JPL, unlike the main NASA security operations center (SOC), didn't even have a round-the-clock incident reporting capability.Īccording to information security analyst Mike Thompson, NASA is right up there when it comes to high profile targets. All in all it reads like a security basics 101 list that has been ignored. Everything from poor IT asset visibility and security violation ticket resolution shortcomings, through to untimely delays in patching known vulnerabilities were detailed by the auditors. ![]() Without going into all the technical detail of every mistake that has been identified by this audit, needless to say it paints a very poor picture of JPL network security indeed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |