• Although NASA had employed controls to segregate sensitive areas of its networks and protect them from intrusion, it did not always adequately control the logical and physical boundaries protecting its information and systems. For example, NASA centers did not adequately protect their workstations and laptops from intrusions through the use of host-based firewalls. Furthermore, firewalls at the centers did not provide adequate protection for the organization’s networks, since they could be bypassed. In addition, the three centers had an e-mail server that allowed spoofed e-mail messages and potentially harmful attachments to be delivered to NASA. As a result, the hosts on these system networks were at increased risk of compromise or disruption from the other lower security networks.

• One center was alerted by the NASA SOC in February 2009 about traffic associated with a Seneka Rootkit Bot.22 In this case, NASA found that 82 NASA devices had been communicating with a malicious server since January 2009. A review of the data revealed that most of these devices were communicating with a server in the Ukraine. By March 2009, three centers were also infected with the bot attack.

The issues collectively increase the risk of unauthorized access to NASA’s sensitive information, as well as inadvertent or deliberate disruption of its system operations and services, the GAO stated. They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted, the GAO stated.

In the end the GAO made eight recommended actions for he NASAA CIO to make including building and implementing comprehensive and physical risk assessments that include mission-related systems and applications and known vulnerabilities identified in the security plans and waivers. The GAO also said to implement an adequate incident detection program to include a consistent definition of an incident, incident roles and responsibilities, resources to operate the program, and business impacts of the incidents.

In response to the GAO report NASA in written comments concurred with the GAO’s recommendations and noted that many of the recommendations are currently being implemented as part of an ongoing strategic effort to improve information technology management and IT security program deficiencies. Although the IT security posture at NASA has significantly improved over the last three years, NASA recognizes there are still significant gaps that will require increased management attention and more time to alleviate, NASA stated.