We expect -- or at least hope -- that large government agencies put a lot of effort into the security of computing. If anything you'd expect NASA to lead the pack, but a new report suggests that there are a few holes it could do with plugging -- quickly.
A report by Motherboard explains that of NASA's annual $US1.5 billion IT spend, about $US58 million goes on security. But that doesn't stop it getting hacked.
In 2011, NASA was the victim of 47 individual advanced persistent threat (APT) attacks, 13 of which successfully compromised its computers. APT attacks are particularity sophisticated and as a result are usually carried out by well-funded organisations, and one of the hacks was successful enough to capture credentials for over 150 employees, including access codes to sensitive information.
Compared to some organisations, that's minor. But this is NASA; a paragon of technological advancement. So what gives?
Firstly, incomplete security. This is an organisation with a lot of computers, and it's hard to keep track of what's going on. Motherboard claims that NASA reported 5408 computer security incidents including the installation of malicious software and unauthorised access to its systems in 2010 and 2011. It also struggles to keep track of computers that are being thrown out, and managed to lose 10 computers that hadn't been properly wiped from one centre in 2010.
But the single biggest problem? Mobility. It's the rise of laptops and tablets among NASA employees that is making the task so difficult for their IT department. In recent years, NASA has seen plenty of lost portable devices. In March 2011, Motherboard reports, "an unencrypted NASA notebook computer was stolen and with it was lost the algorithms used to command and control the International Space Station." Whoops. Added to that, only 1 per cent of all of NASA's laptops are encrypted.
The problem is, NASA is a unique amalgam of researchers, academics and governmental employees. It's an odd melting pot, where people from different backgrounds aren't necessarily on the same page when it comes to security. Maybe it's time that changed. [Motherboard; Image: cogdogblog]