NASA is apparently seriously lacking when it comes to data security
The National Aeronautics and Space Administration (NASA) is pretty good at keeping Classified information away from falling into the wrong hands, but it’s not that good at labeling all of the right data as Classified.
This becomes a major problem because it puts many projects and information in jeopardy from insider attacks, says the latest report on the organization’s state of cybersecurity, published by the NASA Office of Inspector General.
The “NASA’s insider threat program” report reveals that the “vast majority” of NASA technology is not labeled as Classified, including “high-value assets and critical infrastructure.” Some of these assets include “sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information.”
Labeling classified data
As these items are not labeled as Classified, they aren’t covered by the various defenses the organization deployed for its insider protection program.
Things wouldn’t be that bad if unclassified, but sensitive information, wasn’t abused every day. The auditor says in its report that the number of incidents, including the improper use of the organization’s IT systems, rose 343% in three years (from 249 in 2017, to 1,103 in 2020).
Of all these incidents, the most common problem was “failing to protect Sensitive but Unclassified (SBU) information”. Apparently, many NASA employees were sending each other unencrypted emails containing SBU data, Personally Identifiable Information (PII), or International Traffic in Arms Regulations data.
Another potential problem is frequent privilege elevation for the employees. In the last three years, NASA users made more than 12,000 requests for privilege elevation.
To better protect its data, the watchdog hints, NASA needs to reorganize informational security responsibilities. As things stand now, multiple teams are in charge of securing the organization’s endpoints, including the Office of Protective Services (OPS), and the Office of the Chief Information Officer (OCIO).
Via: The Register
Audio player loading… The National Aeronautics and Space Administration (NASA) is pretty good at keeping Classified information away from falling into the wrong hands, but it’s not that good at labeling all of the right data as Classified. This becomes a major problem because it puts many projects and information…
