Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Most NASA Systems at Risk From Insider Threats: Audit

Most of the IT systems at the National Aeronautics and Space Administration (NASA) are exposed to higher-than-necessary risks from internal threats, a recent audit has concluded.

Most of the IT systems at the National Aeronautics and Space Administration (NASA) are exposed to higher-than-necessary risks from internal threats, a recent audit has concluded.

A report from NASA’s Office of Inspector General (OIG) reveals that, while the agency has efficiently implemented an insider threat program that covers classified systems, most of the agency’s systems are unclassified, thus potentially exposed.

Insider threats may include accidental leaks originating from phishing attacks or erroneously forwarded emails, the misuse of network or database access, and data theft – when an employee intentionally copies data with the intent of sharing it with third parties.

As part of its fully operational insider threat program, NASA monitors the classified network for anomalous user activity, it conducts mandatory threat training and it has established a website to help employees and contractors identify potential threats, and it has strengthened procurement controls.

However, “the vast majority of its IT systems—including many containing high-value assets and critical infrastructure—are unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data,” the report reads.

[ READ: NASA Identified Over 6,000 Cyber Incidents in Past 4 Years ]

The audit has concluded that NASA’s insider threat program – which was established in 2014 and validated as fully operational in 2018 – meets federal requirements, and that adding the unclassified systems to the program could provide an additional level of maturity.

According to the report, the current maturity of NASA’s classified insider threat program should be considered adequate for keeping systems protected from both unwitting and witting insiders, especially since the agency mandates annual insider threat awareness training.

However, the auditors also note that most of NASA’s systems are unclassified, underlining that the insider threat risk for these systems is higher, given that many contain sensitive and valuable information, including scientific data, personal information, and procurement data.

“At NASA, valuable data including information related to critical infrastructure and other high-value assets resides in unclassified systems. Consequently, an insider threat incident on an unclassified system could pose serious jeopardy to Agency operations,” the report reads.

[ READ: Mozilla Publishes Results of VPN Security Audit ]

Although it does limit access to high-value assets and critical infrastructure, NASA does not monitor access to unclassified data related to intellectual property and high-value assets. While unclassified systems are assigned to users with limited privileges, over the past three years NASA received over 12,000 requests for elevated privileges that enable the download of task-specific software.

“Without proper monitoring of the purpose and source of this software, NASA systems are vulnerable to the introduction of malicious artifacts that can sabotage systems or collect and deliver information to outside sources. Additionally, accessing IT systems with elevated user privileges greatly increases the risks of cybersecurity incidents by introducing unintended, detrimental changes to system configurations,” the report says.

While NASA officials believe that the agency’s cybersecurity posture would greatly benefit from expanding the insider threat program to unclassified systems, there are staffing and technology limitations that should be addressed first, to support such an effort. Even so, the program should be expanded, the report says.

The auditors recommend that NASA establishes a cross-discipline team to conduct an insider threat risk assessment of unclassified systems and determine whether the insider threat program should be expanded to cover these systems as well, and that the agency ensures improved cross-discipline communication.

Related: IoT Protocol Used by NASA, Siemens and Volkswagen Can Be Exploited by Hackers

Related: Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems

Related: SecureDrop Workstation Gets Post-Audit Security Refresh

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.