Hacking NASA

We are finding that consistently some of the most interesting reports are those coming out of the Inspector General of NASA.

A recent report doesnt disappoint.

The report reviewed the security of NASA’s publicly accessible web applications.

As a context the report notes:

NASA manages approximately 1,200 publicly accessible web applications – or about half of all publicly accessible non-military Federal Government websites – to share scientific information with the public, collaborate with research partners, and provide Agency civil servant and contractor employees with remote access to NASA networks.

Hundreds of these web applications are part of information technology (IT) systems NASA characterizes as high- or moderate-impact, meaning that a security breach could result in the loss of sensitive data or seriously impair Agency operations. NASA’s publicly accessible web applications consist mainly of websites, but also include web-based login portals and administrative systems that provide authorized personnel remote access to Agency IT resources.

We are perhaps stating the obvious when we observe that the security of these web applications is paramount:

The frequency and sophistication of attacks directed at NASA’s publicly accessible web applications has increased dramatically over the past several years. For example, between FYs 2012 and 2013, NASA experienced an 850 percent increase (from 42 to 359) in structured query language (SQL) injection attacks that attempted to compromise Agency web applications to steal data or gain a foothold into its networks for future exploitations.

In response to this growing cyber threat, NASA established an Agency-wide initiative in 2012 – the Web Application Security Program (WASP) – to identify and assess vulnerabilities on all of its publicly accessible web applications and mitigate the most severe vulnerabilities before hackers exploit them.

So how has WASP been performing?

The report notes that WASP has had some impact:

NASA’s ongoing efforts to reduce its web presence and to identify and scan for vulnerabilities on its publicly accessible web applications have improved Agency IT security. We found that WASP developed a complete inventory of all publically available web applications maintained by NASA Headquarters and Centers and, consistent with best practices, identified vulnerabilities through automated scanning coupled with manual testing. In addition, during the 15-month period ending March 2014, NASA reduced by 15 percent (from 1,500 to 1,200) the number of its publicly accessible web applications.

Proving that this area is a never ending effort the report opined:

Despite this progress, we found deficiencies in WASP’s design and implementation that leaves NASA’s publicly accessible web applications at risk of compromise.

These deficiencies occurred because WASP:

  • did not prioritize identification of security vulnerabilities by seriousness of potential impact,
  • identify the underlying cause of vulnerabilities,
  • identify weaknesses associated with unsound IT security practices, or implement an effective process to ensure timely mitigation of identified vulnerabilities.

In the end the web application footprint remains a significant issue that requires addressing:

While NASA has made strides in reducing the scope of its web presence, the Agency’s remaining 1,200 publicly accessible web applications continue to present a large target for hackers.

This report is a good catalogue of issues that all organisations need to consider in managing their web architecture and defences against malicious intent.


Download PDF

Subscribe to Receive Our Email Updates

  • This field is for validation purposes and should be left unchanged.