Six servers at the National Aeronautics and Space Administration--servers supporting the International Space Station, Space Shuttle and Hubble Telescope initiatives--were open to vulnerabilities that could have resulted in a devastating breach, according to a report from the agency's inspector general. To some security experts, the agency's network vulnerability should not come as a surprise.

NASA was lacking in some fairly basic security precautions as early as five years ago, writes Bill Brennan in a post at CSO magazine. In an interview Brennan conducted with a NASA technology chief back then, he learned that that the agency's system was decentralized and fragmented. User accounts were not sufficiently managed, and it was not always clear when contractors were supposed to be off the network. Some contractors retained access to privileged information even after finishing their work with the agency, Brenner reported.

The vulnerabilities outlined in the audit released this week have been patched, but the agency does not have a program in place for identifying similar problems going forward, the IG wrote in the audit. Other servers left passwords, encryption keys and account information exposed. 

"A security breach of a moderate- or high-impact system or project on this key network could severely disrupt NASA operations or result in the loss of sensitive data," the audit report notes.

At the root of the problem was NASA's failure to fully assess and mitigate network risks, the IG found--which is consistent with what CSO's Brenner discerned five years ago. What's more, responsibility for security oversight had not been assigned. NASA CIO Linda Cureton said she plans to launch a pilot program this summer to identify risks on agency networks that are not connected to the Internet, reports Tim Greene at NetworkWorld.

For more:
- see Bill Brenner's post at CSO
- see Tim Greene's article at NetworkWorld
- download the March 28, 2011 report, IG-11-017 (.pdf)
- download a one page summary of the May 2010 report, IG-10-013 (that's all the NASA OIG has made available) (.pdf)

Related Articles:
How to really know your security risks
Major security bungles of 2010
Advice from NASA on social media