Remote attackers using the Internet could seize control of servers on NASA's agency-wide mission networks that guide spacecraft, potentially causing havoc with America's space missions, the space agency's inspector general said in a new report.
The audit - Inadequate Security Practices Expose Key NASA Network to Cyberattack - didn't link any specific mission to specific vulnerabilities, but did mention that the NASA mission network is widely distributed and hosts more than 190 IT systems and projects run by the agency's mission directorates and Jet Propulsion Laboratory, including the Hubble space telescope, space shuttle and international space station and the Cassini and lunar reconnaissance orbiters.
Designing an Incident Response Plan is difficult. On one hand, you have the extremely detailed "Best Practices" while on the other hand you have real world resource constraints.
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte
Join Infocyte's co-founder and Chief Product Officer, Chris Gerritz, as we review the findings from our 2019 Mid-market Threat Detection and Incident Response report.
In the first half of 2019, we completed over 550,000 digital forensic inspections across hundreds of customer and partner networks, exposing hidden and malicious threats, unknown vulnerabilities, and more.
Our Mid-market Report (and this webinar) shares the findings from our DFIR investigations, compromise assessments, and ongoing threat hunting activities.
Designing an Incident Response Plan is difficult. On one hand, you have the extremely detailed "Best Practices" while on the other hand you have real world resource constraints.
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte
Join Infocyte's co-founder and Chief Product Officer, Chris Gerritz, as we review the findings from our 2019 Mid-market Threat Detection and Incident Response report.
In the first half of 2019, we completed over 550,000 digital forensic inspections across hundreds of customer and partner networks, exposing hidden and malicious threats, unknown vulnerabilities, and more.
Our Mid-market Report (and this webinar) shares the findings from our DFIR investigations, compromise assessments, and ongoing threat hunting activities.
Cyber security is a Major concern in the world. As a result of frequent and consistent daily cyber attack, this journal was written to enlighten viewers and readers on zero day attack prediction
This article is all about "STUXNET", the first weapon built entirely out of code.
It gives a brief insight of what is it all about. A new world of computer programming where you can make deadly weapons with codes. Read the complete article to know more about it.
For my presentation on this article visit : http://www.slideshare.net/hardeep4u/stuxnet-more-then-a-virus
A comprehensive study on classification of passive intrusion and extrusion de...csandit
Cyber criminals compromise Integrity, Availability and Confidentiality of network resources in
cyber space and cause remote class intrusions such as U2R, R2L, DoS and probe/scan system
attacks .To handle these intrusions, Cyber Security uses three audit and monitoring systems
namely Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS). Intrusion
Detection System (IDS) monitors only inbound traffic which is insufficient to prevent botnet
systems. A system to monitor outbound traffic is named as Extrusion Detection System (EDS).
Therefore a hybrid system should be designed to handle both inbound and outbound traffic.
Due to the increased false alarms preventive systems do not suite to an organizational network.
The goal of this paper is to devise a taxonomy for cyber security and study the existing methods
of Intrusion and Extrusion Detection systems based on three primary characteristics. The
metrics used to evaluate IDS and EDS are also presented.
Enchaning system effiency through process scanningsai kiran
this project is to find new processes in the system which are not shown in the task manager. it works greatly in the windows system. it compares system processes with user defined data base process(orginal processes of windows).
Frank Migge It Security Patch Monitoring With Nagios 02frank4dd
With OS patching becoming critical to keep systems protected, it is more and more difficult to achieve due the ever increasing frequency of OS update cycles. Monitoring OS patch compliance is a hot topic, intended to help admins keeping up with latest patches and to keep IT management informed about areas of risk. Thanks to the Nagios open architecture, patch check plugins can be easily developed and integrated to provide a enterprise view on the current patch status of the OS variety found in larger organisations: Cisco, Windows, Linux and AIX.
Pileup Flaws: Vulnerabilities in Android Update Make All Android Devices Vuln...MOBIQUANT TECHNOLOGIES
Pileup Flaws: Vulnerabilities in Android Update
Make All Android Devices Vulnerable.
Android upgrade mechanism brings to light a whole new set of vulnerabilities pervasively existing in almost all Android versions, which allow a seemingly harmless malicious app. MobileNX Enterprise Suite and uFortress address these flaws ina recent update.
https://groups.google.com/forum/#!forum/mobiquant
http://www.mobiquant.com
http://www.mseclabs.com
http://twitter.com/mobiquant
https://www.facebook.com/mobiquant/
https://fr.linkedin.com/company/mobiquant-technologies
https://www.crunchbase.com/organization/mobiquant
https://www.youtube.com/user/MOBIQUANT
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEMijcsit
Number and complicacy of malware attack has increased multiple folds in recent times. Informed Internet
users generally keep their computer protected but get confused when it comes to execute the untrusted
applications. In such cases users may fall prey to malicious applications. There are malware behavior
analyzers available but leave report analysis to the user. Common users are not trained to understand and
analyze these reports, and generally expect direct recommendation whether to execute this application on
their computer. This research paper tries to analyze behavior and help the common users and analysts to
quickly classify an application as safe or malicious.
Modern information security management best practices dictate that an enterprise assumes full
configuration control of end user computer systems (laptops, deskside computers, etc.). The benefit of this
explicit control yields lower support costs since there are less variation of machines, operating systems,
and applications to provide support on, but more importantly today, dictating specifically what software,
hardware, and security configurations exist on an end user's machine can help reduce the occurrence of
infection by malicious software significantly. If the data pertaining to end user systems is organized and
catalogued as part of normal information security logging activities, an extended picture of what the end
system actually is may be available to the investigator at a moment's notice to enhance incident response
and mitigation. The purpose of this research is to provide a way of cataloguing this data by using and
augmenting existing tools and open source software deployed in an enterprise network.
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Industrial control systems may be at least, or even more, vulnerable to intrusion and malicious attack than you desktop PC. The National Cybersecurity and Communications Integration Center outlines seven basic steps you can take to harden your industrial control system against intrusion and mischief.
Cyber security is a Major concern in the world. As a result of frequent and consistent daily cyber attack, this journal was written to enlighten viewers and readers on zero day attack prediction
This article is all about "STUXNET", the first weapon built entirely out of code.
It gives a brief insight of what is it all about. A new world of computer programming where you can make deadly weapons with codes. Read the complete article to know more about it.
For my presentation on this article visit : http://www.slideshare.net/hardeep4u/stuxnet-more-then-a-virus
A comprehensive study on classification of passive intrusion and extrusion de...csandit
Cyber criminals compromise Integrity, Availability and Confidentiality of network resources in
cyber space and cause remote class intrusions such as U2R, R2L, DoS and probe/scan system
attacks .To handle these intrusions, Cyber Security uses three audit and monitoring systems
namely Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS). Intrusion
Detection System (IDS) monitors only inbound traffic which is insufficient to prevent botnet
systems. A system to monitor outbound traffic is named as Extrusion Detection System (EDS).
Therefore a hybrid system should be designed to handle both inbound and outbound traffic.
Due to the increased false alarms preventive systems do not suite to an organizational network.
The goal of this paper is to devise a taxonomy for cyber security and study the existing methods
of Intrusion and Extrusion Detection systems based on three primary characteristics. The
metrics used to evaluate IDS and EDS are also presented.
Enchaning system effiency through process scanningsai kiran
this project is to find new processes in the system which are not shown in the task manager. it works greatly in the windows system. it compares system processes with user defined data base process(orginal processes of windows).
Frank Migge It Security Patch Monitoring With Nagios 02frank4dd
With OS patching becoming critical to keep systems protected, it is more and more difficult to achieve due the ever increasing frequency of OS update cycles. Monitoring OS patch compliance is a hot topic, intended to help admins keeping up with latest patches and to keep IT management informed about areas of risk. Thanks to the Nagios open architecture, patch check plugins can be easily developed and integrated to provide a enterprise view on the current patch status of the OS variety found in larger organisations: Cisco, Windows, Linux and AIX.
Pileup Flaws: Vulnerabilities in Android Update Make All Android Devices Vuln...MOBIQUANT TECHNOLOGIES
Pileup Flaws: Vulnerabilities in Android Update
Make All Android Devices Vulnerable.
Android upgrade mechanism brings to light a whole new set of vulnerabilities pervasively existing in almost all Android versions, which allow a seemingly harmless malicious app. MobileNX Enterprise Suite and uFortress address these flaws ina recent update.
https://groups.google.com/forum/#!forum/mobiquant
http://www.mobiquant.com
http://www.mseclabs.com
http://twitter.com/mobiquant
https://www.facebook.com/mobiquant/
https://fr.linkedin.com/company/mobiquant-technologies
https://www.crunchbase.com/organization/mobiquant
https://www.youtube.com/user/MOBIQUANT
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEMijcsit
Number and complicacy of malware attack has increased multiple folds in recent times. Informed Internet
users generally keep their computer protected but get confused when it comes to execute the untrusted
applications. In such cases users may fall prey to malicious applications. There are malware behavior
analyzers available but leave report analysis to the user. Common users are not trained to understand and
analyze these reports, and generally expect direct recommendation whether to execute this application on
their computer. This research paper tries to analyze behavior and help the common users and analysts to
quickly classify an application as safe or malicious.
Modern information security management best practices dictate that an enterprise assumes full
configuration control of end user computer systems (laptops, deskside computers, etc.). The benefit of this
explicit control yields lower support costs since there are less variation of machines, operating systems,
and applications to provide support on, but more importantly today, dictating specifically what software,
hardware, and security configurations exist on an end user's machine can help reduce the occurrence of
infection by malicious software significantly. If the data pertaining to end user systems is organized and
catalogued as part of normal information security logging activities, an extended picture of what the end
system actually is may be available to the investigator at a moment's notice to enhance incident response
and mitigation. The purpose of this research is to provide a way of cataloguing this data by using and
augmenting existing tools and open source software deployed in an enterprise network.
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Industrial control systems may be at least, or even more, vulnerable to intrusion and malicious attack than you desktop PC. The National Cybersecurity and Communications Integration Center outlines seven basic steps you can take to harden your industrial control system against intrusion and mischief.
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...Bill Duncan
Continuous monitoring of security controls is an essential element of an organization's IT security program
. We found that NASA's processes for continuous monitoring of its operating system configurations, system vulnerabilities, and software patch levels were not fully effective for protecting critical Agency information resources.
For example, none of the four Centers we visited monitored operating system configurations on their computer servers to ensure they remained securely configured over time. Although all four Centers had implemented NASA's vulnerability management
process that includes automated vulnerability
discovery, prioritized remediation, and the quarantine of computers with unmitigated vulnerabilities, we found that this process could be improved by adding a control to provide assurance that 100 percent of the Centers' computer networks are continuously monitored. Similarly, the Centers could improve the implementation of their software patch management process by ensuring that all of the Centers' computers are included in the process. In a March 2006 OIG audit report, we recommended that Centers establish inventories of their computers.1
Although the Agency concurred with that recommendation, NASA decided to implement a single Agency-wide inventory instead of Center-level inventories, which delayed implementation until at least September 2010. In this review, we found that the lack of complete and up-to-date inventories is a barrier to effective monitoring of IT security controls. Accurate inventory lists increase the effectiveness of an IT security program by providing a means to verify that 100 percent of the computers in the Agency's network are subject to configuration, vulnerability, and patch monitoring. Until NASA establishes a complete inventory of its network resources, Centers will be unable to fully implement these key IT security controls and NASA's IT security program will not be fully effective in protecting the Agency's valuable IT resources from potential exploitation.
OIG: Review of NASA's Management and Oversight of Its Information Technology ...Bill Duncan
We found that NASA's IT security program
had not fully implemented key FISMA requirements needed to adequately secure Agency information systems and data. For example, we found that only 24 percent (7 of 29) of the systems we reviewed met FISMA requirements for annual security controls testing and only 52 percent (15 of 29) met FISMA requirements for annual contingency plan testing. In addition, only 40 percent (2 of 5) of the external systems we reviewed were certified and accredited.
These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program
. We also found that NASA's Office of Chief Information Officer (OCIO) had not effectively managed corrective action plans used to prioritize the mitigation of IT security weaknesses. This occurred because OCIO did not have a formal policy for managing the plans and did not follow recognized best practices when it purchased an information system that it hoped would facilitate Agency-wide management of IT corrective action plans. However, after spending more than $3 million on the system since October 2005, implementation of the software failed.
The Agency is currently expending funds to acquire a replacement system. Specifically, we found that the information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans across NASA. For example, the system contained corrective actions plans for only 2 percent (7 of 289) of the 29 systems we sampled. In our judgment, the system was underutilized because OCIO did not fully document detailed system requirements prior to selecting the system and did not have users validate requirements via acceptance testing prior to implementing it. Because the information system contained minimal data and the manual process the Agency relied on was not consistently followed, OCIO's management of corrective actions plans was ineffective and did not ensure that significant IT security weaknesses were corrected in a timely manner.
Until NASA takes steps to fully meet FISMA requirements and to improve its system acquisition practices, NASA's IT security program will not be fully effective in protecting critical Agency information systems. Moreover, until such improvements are made OCIO will not be in a position to effectively allocate resources to correct IT security weaknesses. Management
1 NPR 2810.1A, "Security of Information Technology," Chapter7, defines moderate impact as "loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on NASA operations, organizational assets, or individuals." High impact is defined as "loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on NASA operations, organizational assets, or individuals." 2 NASA OIG. "Federal Information Security Management Act: Fiscal Year 2009 Report from the Office of Inspector General" (IG-10-001, November 10, 2009). 3 NASA OIG. "Review of the Information Technology Security of the Internet Protocol Operational Network (IONet)" (IG-10-013, May 13, 2010); and NASA OIG. "Audit of NASA's Efforts to Continuously Monitor Critical Information Technology Security Controls" (IG-10-019, September 14, 2010).
STATISTICAL QUALITY CONTROL APPROACHES TO NETWORK INTRUSION DETECTIONIJNSA Journal
In the study of network intrusion, much attention has been drawn to on-time detection of intrusion to safeguard public and private interest and to capture the law-breakers. Even though various methods have been found in literature, some situations warrant us to determine intrusions of network in real-time to prevent further undue harm to the computer network as and when they occur. This approach helps detect the intrusion and has a greater potential to apprehend the law-breaker. The purpose of this article is to formulate a method to this effect that is based on the statistical quality control techniques widely used in the manufacturing and production processes.
The purpose of this paper two fold. First and foremost it presents a background narrative on the origins, innovations and applications of novel structural automation technologies and the rarity of experts involved in research, development and practice of this field. The second part of this paper presents a rudimentary framework for a solution addressing this paucity – the creation of an interdisciplinary academic program at PAAET that will be the first ever in the region to address applied information communication technologies ICT in the design, planning, engineering and management of structural automation projects. In doing so, we need also to define the level of implementation. This field, as all fields in ICT, have been loosely defined and most applications carry less weight in its implementation than what should be applied. This paper gives an attempt to define an indexing scheme by which we can easily classify such implementation and generate a ranking by which we can safely define its level of ―Intelligence‖.International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A FRAMEWORK TO DEFENSE AGAINST INSIDER ATTACKS ON INFORMATION SOURCESijmpict
As for development and growth of information systems and security organizations, protecting information
against probable attacks is of great importance. External raids on these organizations, for the most part,
are not practicable due to high defensive layers. Therefore to intrude on such organizations, insiders are
employed. In this paper, by introducing consequence and necessity of recognition of insider attacks perils,
we intend to propose a new framework for detecting and preventing from insider attacks on information
systems.
The suggested framework is defined according to ontology graphs, thus, a structure of so-called ontology is
firstly explained. This composition represents data structure for saving and presenting information and is
then practiced to detect user’s behavioral patterns within such framework. The framework consists of three
phases of construction, comparison and analysis such that it first receives a set of user’s requests alongside
with his legal access level and in case of encountering an attack it communicates an appropriate warning
message to the organization administrative system
A FRAMEWORK TO DEFENSE AGAINST INSIDER ATTACKS ON INFORMATION SOURCESijmpict
As for development and growth of information systems and security organizations, protecting information against probable attacks is of great importance. External raids on these organizations, for the most part, are not practicable due to high defensive layers. Therefore to intrude on such organizations, insiders are employed. In this paper, by introducing consequence and necessity of recognition of insider attacks perils, we intend to propose a new framework for detecting and preventing from insider attacks on information
systems.
Internet of Things Security - Trust in the supply chainDuncan Purves
Presentation on the threats to Internet of Things solutions and how you establish trust in the Internet of Things supply chain and where you go to find security frameworks and best practice. Also includes details about the Secure IoT event being in held in Reading, UK on 17 October 2017.
Efficient Data Aggregation in Wireless Sensor NetworksIJAEMSJORNAL
Sensor network is a term used to refer to a heterogeneous system combining tiny sensors and actuators with general/special-purpose processors. Sensor networks are assumed to grow in size to include hundreds or thousands of low-power, low-cost, static or mobile nodes. This system is created by observing that for any densely deployed sensor network, high redundancy exists in the gathered information from the sensor nodes that are close to each other we have exploited the redundancy and designed schemes to secure different kinds of aggregation processing against both inside and outside attacks.
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
This paper deals with the inevitable consequence of the convenience and efficiency we benefit from the open, networked control system operation of safety-critical applications: vulnerability to such system from cyber-attacks. Even with numerous metrics and methods for intrusion detection and mitigation strategy, a complete detection and deterrence of internal code flaws and outside cyber-attacks has not been found and would not be found anytime soon. Considering the ever incompleteness of detection and prevention and the impact and consequence of mal-functions of the safety-critical operations caused by cyber incidents, this paper proposes a new computer control system architecture which assures resiliency even under compromised situations. The proposed architecture is centered on diversification of hardware systems and unidirectional communication from the proposed system in alerting suspicious activities to upper layers. This paper details the architectural structure of the proposed cyber defensive computer control system architecture for power substation applications and its validation in lab experimentation and on a cybersecurity testbed.
Similar to Inadequate Security Practices Expose Key NASA Network to Cyber Attack (20)
Create software builds with jazz team buildBill Duncan
A guide to using the Jazz Team Build feature in Rational Team Concert
Veena H. Balakrishnaiah (veena.balakrishna@in.ibm.com), Build and Release Engineer, IBM
Summary: Veena H. Balakrishnaiah gives an overview of how to configure source control and Jazz Team Build components of Rational Team Concert to define and manage your build. Jazz builds run against files that come from a designated build repository workspace and include traceability between change sets and work items. Jazz Team Builds provide support for the automation, monitoring, and awareness of a team's regular builds.
This article originally appeared at http://www.ibm.com/developerworks/rational/library/create-software-builds-jazz-team-build/index.html?ca=drs-
How to implement access restrictions to your EA artifacts using Rational Syst...Bill Duncan
Abstract
This white paper provides you with information on how to implement access restrictions to your Enterprise Architecture (EA) Artifacts using IBM Rational System Architect Catalog Manager.
Content
This white paper discusses what Rational System Architect Catalog Manager is and how it can be used to addresses the concerns of "Visibility" and "Security". The paper also gives problem scenarios and then the solutions to those scenarios to help easier understanding of the capabilities.
Optimize load handling for high-volume tests with IBM Rational Performance Te...Bill Duncan
Summary: When using IBM® Rational® Performance Tester for testing diversified protocols and large volume load simulations, it is essential to optimize the performance of your testing machines and tools, as well as your network and infrastructure. In this article, you will discover best practices that you can adopt to enhance the load generation capability of Rational Performance Tester per machine by configuring both the testing tool and the operating system. You will also learn about techniques that you can use to alleviate trivial errors that occur during large volume load simulations.
Improve software development project success with better informationBill Duncan
Summary: Automated reporting can help you document compliance and eliminate the errors, inconsistency, and wasted time and effort inherent in manual reporting. Automated measurement can help improve processes and streamline project delivery. This article describes how automated reporting and measurement tools, such as IBM Rational Publishing Engine and Rational Insight, help software and systems development teams provide accurate, timely, and appropriate information to decision makers.
Automate document generation from SysML models with Rational Rhapsody Reporte...Bill Duncan
This article explains techniques to generate documents from IBM® Rational® Rhapsody SysML models, using the Rhapsody ReporterPLUS feature. Automated document generation from existing models enhances consistency between the different representations of the system used throughout system development. Using the right techniques, it is possible to produce publication-ready, human-readable documents that support engineering processes.
By default, IBM® Rational® Performance Tester provides essential performance metrics, such as throughput, response times, concurrency, and success rate. However, it also includes several advanced features for detailed analysis, many of which are not commonly used. Proper use of these options provides deeper insight when analyzing test results. This article gives five tips for using some of these advanced features, all of which have helped tremendously in real-world performance testing projects with large companies.
Developing service component architecture applications using rational applica...Bill Duncan
Summary: This article describes how to develop and access SCA applications using Rational Application Developer Version 8 with a sample application. It begins with some basic definitions and frequently used terms used, next we describe the pre-requisites and references links before start developing SCA applications. Next explains with the wizards of the Rational Application Developer to create a sample SCA application, create different supported bindings for SCA Services and SCA References like default SCA binding, web services binding, and EJB bindings. The article concludes by describing how Servlet client application accesses the SCA sample application.
Managing requirements across Analysis and Design phases using System Architec...Bill Duncan
Abstract
This document describes why requirements need to be tracked and also explains how tracking can be setup and managed.
Content
The IBM Rational System Architect DOORS integration helps users create abstract views in System Architect based on the user requirements in IBM Rational DOORS. Having this integration will enable users to synchronize the model with the ever changing requirements. This document can be used as a reference for users who would like to map their requirements captured in DOORS to a modeling tool Rational System Architect. Also, there would be an information flow between DOORS to System Architect and vice-versa.
Using the document provided, users can map the requirements in DOORS to the System Architect project encyclopedia and vice versa. As a summary, this document can prove effective as a start point for new users who are in the process of exploring this integration and its benefits.
What's New in Rational Team Concert 3.0Bill Duncan
Rational Team Concert integrates work item tracking, source control management, continuous builds, iteration planning, and a highly configurable process support to adapt to the way you want to work, enabling developers, architects, project managers, and project owners to work together effectively.
Rational Team Concert 3.0 coming November 23rd!
Here are some highlights of what's coming in the next version:
* Simplified packaging
* Advanced planning for formal and agile teams
* Flexible customization and configuration
* Distributed source control
* Enterprise build support, with enhanced Build Forge integration
* Enterprise platform enhancements (z/OS and Power)
* Enhanced client for Microsoft Visual Studio IDE
* Open integrations to your existing tools, including a new DOORS 9.3 integration and OpenSocial support
Automatic Proactive Troubleshooting with IBM Rational Build ForgeBill Duncan
Abstract
This paper will address using Build Forge to integrate Rational products to fix or “phone home” potential support issues proactively without user intervention.
Content
Refrigerator companies have often floated the idea of having intelligent refrigerators that would call in service requests for themselves when components were failing. The basis of this idea is that better diagnostics are driven by greater integration between computerized parts. This paper brings this idea to Rational products by using Build Forge to fix or “phone home” potential support issues proactively without user intervention.
हम आग्रह करते हैं कि जो भी सत्ता में आए, वह संविधान का पालन करे, उसकी रक्षा करे और उसे बनाए रखे।" प्रस्ताव में कुल तीन प्रमुख हस्तक्षेप और उनके तंत्र भी प्रस्तुत किए गए। पहला हस्तक्षेप स्वतंत्र मीडिया को प्रोत्साहित करके, वास्तविकता पर आधारित काउंटर नैरेटिव का निर्माण करके और सत्तारूढ़ सरकार द्वारा नियोजित मनोवैज्ञानिक हेरफेर की रणनीति का मुकाबला करके लोगों द्वारा निर्धारित कथा को बनाए रखना और उस पर कार्यकरना था।
In a May 9, 2024 paper, Juri Opitz from the University of Zurich, along with Shira Wein and Nathan Schneider form Georgetown University, discussed the importance of linguistic expertise in natural language processing (NLP) in an era dominated by large language models (LLMs).
The authors explained that while machine translation (MT) previously relied heavily on linguists, the landscape has shifted. “Linguistics is no longer front and center in the way we build NLP systems,” they said. With the emergence of LLMs, which can generate fluent text without the need for specialized modules to handle grammar or semantic coherence, the need for linguistic expertise in NLP is being questioned.
role of women and girls in various terror groupssadiakorobi2
Women have three distinct types of involvement: direct involvement in terrorist acts; enabling of others to commit such acts; and facilitating the disengagement of others from violent or extremist groups.
‘वोटर्स विल मस्ट प्रीवेल’ (मतदाताओं को जीतना होगा) अभियान द्वारा जारी हेल्पलाइन नंबर, 4 जून को सुबह 7 बजे से दोपहर 12 बजे तक मतगणना प्रक्रिया में कहीं भी किसी भी तरह के उल्लंघन की रिपोर्ट करने के लिए खुला रहेगा।
01062024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
31052024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
03062024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
2024 is the point of certainty. Forecast of UIF experts
Inadequate Security Practices Expose Key NASA Network to Cyber Attack
1. MARCH 28, 2011
AUDIT REPORT
OFFICE OF AUDITS
INADEQUATE SECURITY PRACTICES EXPOSE KEY
NASA NETWORK TO CYBER ATTACK
OFFICE OF INSPECTOR GENERAL
National Aeronautics and
Space Administration
REPORT NO. IG-11-017 (ASSIGNMENT NO. A-10-011-00)
2. Final report released by:
Paul K. Martin
Inspector General
Acronyms
FTP File Transfer Protocol
IP Internet Protocol
IT Information Technology
JPL Jet Propulsion Laboratory
OA Office of Audits
OIG Office of Inspector General
VPN Virtual Private Network
REPORT NO. NO. IG-11-017
3. MARCH 28, 2011
OVERVIEW
INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA
NETWORK TO CYBER ATTACK
The Issue
NASA relies on a series of computer networks to carry out its various missions, including
controlling spacecraft like the International Space Station and conducting science
missions like the Hubble Telescope. Therefore, it is imperative that NASA protect its
computer networks from cyber attacks that could disrupt operations or result in the loss of
sensitive data. In this audit, we evaluated whether NASA protected information
technology (IT) assets on its Agency-wide mission computer network from Internet-based
cyber attacks. Specifically, we assessed whether NASA adequately protected these IT
assets from Internet-based attacks by regularly assessing risks and identifying and
mitigating vulnerabilities. We also reviewed internal controls as appropriate. Details of
the audit’s scope and methodology are in Appendix A.
Results
We found that computer servers on NASA’s Agency-wide mission network had high-risk
vulnerabilities that were exploitable from the Internet. Specifically, six computer servers
associated with IT assets that control spacecraft and contain critical data had
vulnerabilities that would allow a remote attacker to take control of or render them
unavailable. Moreover, once inside the Agency-wide mission network, the attacker could
use the compromised computers to exploit other weaknesses we identified, a situation
that could severely degrade or cripple NASA’s operations. We also found network servers
that revealed encryption keys, encrypted passwords, and user account information to
potential attackers. These data are sensitive and provide attackers additional ways to gain
unauthorized access to NASA networks. These deficiencies occurred because NASA had
not fully assessed and mitigated risks to its Agency-wide mission network and was slow
to assign responsibility for IT security oversight to ensure the network was adequately
protected. In a May 2010 audit report, we recommended that NASA immediately
establish an IT security oversight program for this key network. 1 However, even though
the Agency concurred with the recommendation it remained unimplemented as of
February 2011. Until NASA addresses these critical deficiencies and improves its IT
1
NASA OIG, “Review of the Information Technology Security of [a NASA Computer Network]”
(IG-10-013, May 13, 2010).
REPORT NO. IG-11-017
4. OVERVIEW
security practices, the Agency is vulnerable to computer incidents that could have a
severe to catastrophic effect on Agency assets, operations, and personnel.
Management Action
In order to strengthen the Agency’s IT security program, we urge NASA to expedite
implementation of our May 2010 recommendation to establish an IT security oversight
program for NASA’s Agency-wide mission network. We also recommend that NASA
Mission Directorates (1) immediately identify Internet-accessible computers on their
mission networks and take prompt action to mitigate identified risks and (2) continuously
monitor Agency mission networks for Internet-accessible computers and take prompt
action to mitigate identified risks. Finally, to help ensure that all threats and
vulnerabilities to NASA’s IT assets are identified and promptly addressed, we recommend
that NASA’s Chief Information Officer, in conjunction with the Mission Directorates,
conduct an Agency-wide IT security risk assessment.
In response to a draft of this report, the Chief Information Officer and Mission
Directorates concurred with our recommendations. The Chief Information Officer stated
that she will work with the Mission Directorates and Centers to develop a comprehensive
approach to ensure that Internet-accessible computers on NASA’s mission networks are
routinely identified, vulnerabilities are continually evaluated, and risks are promptly
mitigated by September 30, 2011. In addition, the Chief Information Officer said she will
develop and implement a strategy for conducting an Agency-wide risk assessment by
August 31, 2011. The full text of NASA’s comments can be found in Appendix B.
We consider the Chief Information Officer’s proposed actions to be responsive to our
recommendations. Therefore, the recommendations are resolved and will be closed upon
verification that management has completed the corrective actions.
ii REPORT NO. IG-11-017
5. MARCH 28, 2011
CONTENTS
INTRODUCTION
Background _________________________________________ 1
Objectives __________________________________________ 2
RESULTS
NASA Did Not Adequately Assess and Mitigate Risks to
Its Agency-Wide Mission Computer Network ______________ 3
APPENDIX A
Scope and Methodology ________________________________ 9
Review of Internal Controls ____________________________ 10
Prior Coverage ______________________________________ 10
APPENDIX B
Management Comments ______________________________ 12
APPENDIX C
Report Distribution ___________________________________ 16
REPORT NO. IG-11-017
6.
7. MARCH 28, 2011
INTRODUCTION
Background
The threat to NASA’s computer networks from Internet-based intrusions is tangible and
expanding in both scope and frequency. For example, in May 2009 NASA notified the
Office of Inspector General (OIG) of a suspicious computer connection from a system
that supports Agency space operations and space exploration activities. The subsequent
OIG investigation confirmed that cybercriminals had infected a computer system that
supports one of NASA’s mission networks. Due to the inadequate security configurations
on the system, the infection caused the computer system to make over 3,000 unauthorized
connections to domestic and international Internet protocol (IP) addresses including
addresses in China, the Netherlands, Saudi Arabia, and Estonia. 2 In another cyber attack
in January 2009, cybercriminals stole 22 gigabytes of export-restricted data from a Jet
Propulsion Laboratory (JPL) computer system. The sophistication of both of these
Internet-based intrusions confirms that they were focused and sustained efforts to target
assets on NASA’s mission computer networks.
NASA’s Agency-wide mission network is widely distributed throughout the United
States and hosts more than 190 IT systems and projects run by the Agency’s Mission
Directorates and JPL. Included in these 190 IT assets are computer systems and projects
that control the Hubble Space Telescope, the Space Shuttle, the International Space
Station, the Cassini and Lunar Reconnaissance orbiters, and several ground stations and
mission control centers. These IT systems and projects, categorized as moderate- and
high-impact, control spacecraft, collect and process scientific data, and perform other
critical Agency functions. 3 Consequently, a security breach of one of these systems or
projects could have a severe to catastrophic adverse effect on NASA operations, assets, or
personnel.
In order to communicate and share information with external parties, NASA’s Agency-
wide mission network is connected to the Internet. NASA uses firewall technology to
control access to the network. A firewall is a set of IT resources that separate and protect
computer systems and data on an organization’s internal networks from unauthorized
2
An IP address is a unique numerical label assigned to each device (such as a computer or printer)
connected to a network that uses the Internet protocol to communicate. An information technology
system is a discrete set of information resources organized for the collection, processing, maintenance,
use, sharing, dissemination, or disposition of information.
3
In a moderate-impact system, the loss of confidentiality, integrity, or availability could be expected to
have a serious adverse effect on organizational operations, organizational assets, or individuals. In a
high-impact system, such a loss could be expected to have a severe or catastrophic adverse effect.
REPORT NO. IG-11-017 1
8. INTRODUCTION
access from an external network, such as the Internet. Specifically, firewalls inspect
incoming network traffic and permit or deny requests for access according to an
organization’s security policy.
Firewalls are only as effective as the rules that security personnel define for them. For
example, firewall rules that allow unrestricted access from the Internet to computers on
an organization’s internal networks are pathways attackers can use to identify and exploit
vulnerabilities on these networks. Accordingly, as part of an enterprise-wide IT security
risk assessment, organizations should identify and prioritize the mitigation of
vulnerabilities that can be exploited from the Internet. This is especially important when
these vulnerabilities are associated with moderate- or high-impact systems because a
system breach could severely degrade or even cripple an organization’s ability to operate.
Typically, organizations assess their network security posture from within the confines of
their own organizational networks and therefore do not always identify computers that are
exploitable from the Internet. Computer hackers, however, assess and evaluate potential
targets from the outside. Thus, computers that are accessible from the Internet are prime
targets for exploitation and are highly sought after by hackers.
Objectives
We reviewed the firewalls and related computer networking devices that control the flow
of network traffic between the Internet and systems on NASA’s Agency-wide mission
network to determine whether they are effectively configured to protect NASA IT
resources from Internet-based threats. We also reviewed internal controls as appropriate.
See Appendix A for details of the audit’s scope and methodology.
2 REPORT NO. IG-11-017
9. RESULTS
NASA DID NOT ADEQUATELY ASSESS AND
MITIGATE RISKS TO ITS AGENCY-WIDE
MISSION COMPUTER NETWORK
We performed vulnerability tests on computer servers connected to NASA’s Agency-
wide mission computer network and found six servers that were exploitable from the
Internet. These servers were associated with IT projects that control spacecraft or
contain critical NASA data. In addition to servers with high-risk vulnerabilities, we
also found servers that exposed encryption keys, encrypted passwords, and user
account information. These data are sensitive and provide attackers additional ways
to gain unauthorized access to NASA computer networks. These deficiencies
occurred because NASA had not fully assessed and mitigated risks to the network
and had not assigned responsibility for IT security oversight to ensure the network
was adequately protected. A security breach of a moderate- or high-impact system or
project on this key network could severely disrupt NASA operations or result in the
loss of sensitive data.
Computers on NASA’s Agency-wide Mission Network Could Be
Exploited from the Internet
NASA computers that are accessible from the Internet are prime targets for exploitation
and thus are highly sought after by hackers. To determine the extent to which NASA’s
Agency-wide mission network was vulnerable to a cyber attack, we first conducted a test
to probe the network for Internet-accessible computers. 4 The test included all IP
addresses assigned to the more than 190 IT systems and projects on this network – more
than 176,000 in total. At the time of our test, we found that NASA’s Agency-wide
mission network had 54 Internet-accessible computer servers associated with 8 IT
projects. These servers were associated with moderate- and high-impact NASA IT
projects used to control spacecraft or process critical data.
We contacted the owner of each project and found that two of the eight projects were
scheduled for termination and were disposed of during the audit. 5 We performed
vulnerability tests on the six remaining projects to determine if they included computers
with high-risk vulnerabilities. Specifically, we used NESSUS®, a network vulnerability
scanner, to test each computer for vulnerabilities such as running outdated or unpatched
4
We used Nmap, a widely used software program, to identify Internet-accessible computers. Nmap
discovers what hosts (computers) are present on a network and what services (applications such as e-mail
or file sharing) those hosts are offering.
5
Disposal means that all computer hardware related to the project was removed from the network and
retired.
REPORT NO. IG-11-017 3
10. RESULTS
software or offering network services that have known security weaknesses. NESSUS®
ranks vulnerabilities as high, medium, or low based on their potential to harm the system.
One of the IT projects we reviewed had an Internet-accessible server that was susceptible
to a file transfer protocol (FTP) bounce attack – a highly effective form of cyber attack,
widely known since 1998. 6 As shown in Figure 1 below, in an FTP bounce attack the
attacker connects to and exploits a software flaw in the FTP server (1 and 3). Next, the
attacker uses the FTP server as a middle-man to discreetly scan computers positioned
behind the firewall for vulnerabilities (2). The scan results are relayed from the FTP
server back through the firewall to the attacker (4), and the attacker uses the scan results
to exploit other computers on the network, disrupt operations, or steal data.
Figure 1: Attacker Exploits Vulnerability to Disrupt NASA Operations or Steal Data
Table 1 shows the results of our vulnerability tests for the six NASA projects we
evaluated. Specifically, it shows the number of Internet-accessible servers with high-risk
vulnerabilities and the total number of servers with high-risk vulnerabilities. We also
detected medium- and low-risk vulnerabilities and immediately provided the complete
results of our tests to NASA IT security staff. NASA has since remediated all the high-
risk vulnerabilities we detected. As the table shows, three of the projects and six
computer servers had high-risk vulnerabilities that could allow an Internet-based attacker
to take control of the computers or render them unavailable. We also found high-risk
vulnerabilities on other computers that were part of these six projects.
6
File transfer protocol is a network protocol commonly used on the Internet to copy files from one
computer to another. An FTP bounce attack exploits the FTP protocol when an attacker is able to use the
PORT command to request access to ports indirectly through the use of the victim machine as a middle-
man for the request.
4 REPORT NO. IG-11-017
11. RESULTS
Table 1. Vulnerability Assessment Results
Number of Internet- Number of Servers with
Accessible Servers with High-Risk
Project High-Risk Vulnerabilities Vulnerabilities
1 0 2
2 0 0
3 0 2
4 2 2
5 3 5
6 1 1
Total 6 12
Once an attacker has exploited a vulnerability on an Internet-accessible computer, the
attacker could use the compromised computer as a means to exploit vulnerabilities on
other mission network computers. For example, had the bounce attack vulnerability been
exploited, a cybercriminal could have significantly disrupted NASA’s space flight
operations and stolen sensitive data.
Problems with Server Configurations Exposed Sensitive Data
We also found that servers associated with the six projects we reviewed were not securely
configured and, as a result, sensitive data such as encryption keys, encrypted passwords,
and user account lists were exposed to potential attackers. These data are sensitive and
can be used to gain unauthorized access to NASA’s Agency-wide mission network. For
example, an attacker can use encryption keys to bypass security controls and remotely
access a mission network server. 7 Although encrypting passwords prevents the true
password from being disclosed in a legible form, an attacker can use one of the many
tools available on the Internet to decipher the password through a technique called brute-
forcing. 8 After cracking the password, the attacker can then bypass the login mechanism
on the related server’s password-protected website and gain access to NASA’s Agency-
wide mission network. Finally, one server we reviewed disclosed sensitive account data
for all its authorized users. This information could be used by attackers for phishing or
sending Agency personnel e-mails containing malicious code to their official NASA
e-mail accounts. When the recipient accessed the e-mail, their computer and any
sensitive data on it could be compromised.
7
The encryption keys are files used as part of the authentication process for tunneling into an internal
network using a VPN (virtual private network) to remotely administer computer servers in the network.
8
Brute-force password cracking is a technique that involves an automated script or program that attempts
every possible password combination or uses a dictionary of words until the encrypted password is
discovered.
REPORT NO. IG-11-017 5
12. RESULTS
NASA Needs to Conduct an Agency-Wide IT Security Risk
Assessment
Although NASA regularly conducts risk assessments of individual IT systems, the
Agency has never completed an Agency-wide risk assessment for its portfolio of IT
assets. Agency-wide risk assessments are important because they help ensure that all
threats and vulnerabilities are identified and that the greatest risks are promptly
addressed. In our judgment, the deficiencies noted above occurred because NASA
(1) was unaware of critical risks to its Agency-wide mission network that a
comprehensive risk assessment would have brought to light and (2) had not implemented
an agreed-upon recommendation to establish an IT security oversight program to ensure
that Agency mission networks were adequately protected. As a result, NASA’s Agency-
wide mission network was vulnerable to a variety of cyber attacks with the potential for
devastating adverse effects on the mission operations the network supports. Until NASA
improves its IT security practices by completing a comprehensive IT security risk
assessment and implementing our previous recommendation to establish an IT security
oversight program, the Agency is vulnerable to computer incidents that could have a
severe to catastrophic adverse effect on Agency assets, operations, or personnel.
Recommendations, Management’s Response, and Evaluation of
Management’s Response
To strengthen the Agency’s IT security program, we urged NASA to expedite
implementation of our May 2010 recommendation to establish an IT security oversight
program for NASA’s Agency-wide mission network. We also recommended that NASA
Mission Directorates take the following actions:
Recommendation 1. Immediately identify Internet-accessible computers on their mission
computer networks and take prompt action to mitigate identified risks.
Recommendation 2. Add as a security control continuous monitoring of their mission
computer networks for Internet-accessible computers and take prompt action to mitigate
identified risks.
Management’s Response. The NASA CIO and Mission Directorates combined
Recommendations 1 and 2 and stated that by September 30, 2011, the CIO will work with
the Mission Directorates and Centers to develop a comprehensive approach to ensure that
Internet-accessible computers on NASA’s mission networks are routinely identified,
vulnerabilities are continually evaluated, and risks are promptly mitigated. NASA’s
proposed corrective action is an Agency-wide solution and will include analyses of the
root cause or causes underlying the findings in this and prior audits; identification of
short-term steps that NASA will take to address the audit findings; identification of long-
term initiatives to address any identified root cause; and identification of the costs and
6 REPORT NO. IG-11-017
13. RESULTS
resources, tools, procedures, and oversight needed to implement the plan, along with
specific milestones and assignments of responsibility and methods for accountability.
Evaluation of Management’s Response. We consider the CIO and Mission Directorate
proposed actions to be responsive to our recommendations. Further, we commend NASA
for extending the corrective actions beyond NASA’s mission networks. The
recommendations are resolved and will be closed upon verification that the proposed
actions have been completed.
The CIO also requested that we reevaluate the security of Internet-accessible computers
on NASA’s mission networks within 1 year of the development of NASA’s remediation
plan. We agreed and plan to perform a vulnerability assessment of NASA’s mission
networks in October 2012 to evaluate the security status of the Agency’s Internet-
accessible computers.
Finally, we recommended that NASA’s Chief Information Officer in conjunction with the
Mission Directorates:
Recommendation 3. Conduct an Agency-wide IT security risk assessment of NASA’s
mission-related networks and systems in accordance with Federal guidelines and industry
best practices.
Management’s Response. The CIO and Mission Directorates concurred with our
recommendation, stating that NASA will develop and implement a strategy for
conducting such a risk assessment with the goals of (1) providing an overall view of the
Agency’s information security risk posture and effectiveness of ongoing information
security initiatives, particularly on NASA’s mission-related networks and systems, and
(2) producing actionable recommendations for improving information security, prioritized
by level of risk to the Agency, by August 31, 2011.
Evaluation of Management’s Response. We consider the proposed actions to be
responsive to our recommendation. Therefore, the recommendation is resolved and will
be closed upon verification that the proposed actions have been completed.
REPORT NO. IG-11-017 7
14.
15. APPENDIXES
APPENDIX A
Scope and Methodology
We performed our audit from July through February 2011 in accordance with generally
accepted government auditing standards. Those standards require that we plan and
perform our work to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on
our audit objectives.
To evaluate processes NASA used to control the flow of network traffic between the
Internet and systems on NASA’s Agency-wide mission network, we inspected
configurations of the firewalls and network gears that control network traffic between the
Internet and agency-wide mission network.
To identify Internet-accessible servers on 100 percent of the Agency-wide mission
network, we used Nmap, a widely used software program, that can be used to discover IT
assets that are accessible from the Internet. Based on the results of Nmap scans, we
identified eight mission projects (two of which were decommissioned prior to the
completion of our audit fieldwork) that had computer servers that were accessible from
the Internet. We selected these projects for detailed review.
Specifically, we assessed whether NASA has effective processes in place to
• protect internal IT assets from external threats,
• resume post-disaster operations, and
• identify and remediate technical vulnerabilities.
We interviewed NASA and contractor staff responsible for the different areas for each
project reviewed. We evaluated processes, controls, and tools they used to secure their IT
mission assets and mitigate risk. We conducted vulnerability assessments on each of the
six IT projects identified to assess NASA’s ability to mitigate technical vulnerabilities.
Additionally, we inspected and validated the configurations of the devices that control the
flow of network traffic between the Internet and NASA’s mission projects against
NASA’s recommended configurations.
To evaluate processes NASA used for contingency planning for the Agency-wide mission
network, we assessed whether there are effective processes in place to not only restore the
network following a disruption but also to maintain network operations throughout the
occurrence of a disaster. We also developed questionnaires to interview NASA and
REPORT NO. IG-11-017 9
16. APPENDIX A
contractor staff responsible for the restoration of the Agency-wide mission network. We
inspected the contingency plans and contingency plan tests for the Agency-wide mission
network.
Use of Computer-Processed Data. We relied on data produced from a software
program to perform discovery scans on the Agency-wide mission network. We used
Nmap, a widely accepted open source port scanner, to determine what hosts (computers)
are active and which ports on these computers are open or may be open and available on a
given network and what services and applications those hosts are offering. We validated
the data produced by Nmap by manually connecting to the hosts identified by Nmap as
open.
We also relied on data produced from a software program to perform vulnerability tests
on samples of mission projects connected to the Agency-wide mission network. We used
NESSUS®, a commercial network-based vulnerability scanner, to test computers for
technical vulnerabilities. We did not validate the data produced by NESSUS® because
NESSUS® is widely accepted as a reliable source for providing information related to the
presence of technical vulnerabilities in information systems.
Review of Internal Controls
We reviewed internal controls related to the flow of network traffic between the Internet
and systems on NASA’s Agency-wide mission network and contingency planning audit
objectives. These included determining whether NASA has policies and procedures in
place for performing risk assessments, configuration and vulnerability management, and
contingency planning.
Prior Coverage
During the last 5 years, the NASA Office of Inspector General (OIG) and the Government
Accountability Office (GAO) have issued two reports of particular relevance to the
subject of this report. Unrestricted reports can be accessed over the Internet at
http://oig.nasa.gov/audits/reports/FY11 (NASA OIG) and http://www.gao.gov (GAO).
NASA Office of Inspector General
“Review of the Information Technology Security of [a NASA Computer Network]”
(IG-10-013, May 13, 2010).
10 REPORT NO. IG-11-017
17. APPENDIX A
Government Accountability Office
“NASA Needs to Remedy Vulnerabilities in Key Networks” (GAO-10-4, October 15,
2009)
REPORT NO. IG-11-017 11
18. APPENDIX B
MANAGEMENT COMMENTS
12 REPORT NO. IG-11-017
22. APPENDIX C
REPORT DISTRIBUTION
National Aeronautics and Space Administration
Administrator
Deputy Administrator
Chief of Staff
Chief Information Officer
Associate Administrator Aeronautics Research Mission Directorate
Associate Administrator Science Mission Directorate
Associate Administrator Exploration Systems Mission Directorate
Associate Administrator Space Operations Mission Directorate
Non-NASA Organizations and Individuals
Office of Management and Budget
Deputy Associate Director, Energy and Science Division
Branch Chief, Science and Space Programs Branch
Government Accountability Office
Director, NASA Financial Management, Office of Financial Management and
Assurance
Director, NASA Issues, Office of Acquisition and Sourcing Management
Congressional Committees and Subcommittees, Chairman and
Ranking Member
Senate Committee on Appropriations
Subcommittee on Commerce, Justice, Science, and Related Agencies
Senate Committee on Commerce, Science, and Transportation
Subcommittee on Science and Space
Senate Committee on Homeland Security and Governmental Affairs
House Committee on Appropriations
Subcommittee on Commerce, Justice, Science, and Related Agencies
House Committee on Oversight and Government Reform
Subcommittee on Government Organization, Efficiency, and Financial Management
House Committee on Science, Space, and Technology
Subcommittee on Investigations and Oversight
Subcommittee on Space and Aeronautics
16 REPORT NO. IG-11-017
23. Major Contributors to the Report:
Wen Song, Director, Information Technology Directorate
Jefferson Gilkeson, Project Manager
Eric Jeanmaire, Auditor
Morgan Reynolds, Auditor
REPORT NO. IG-11-017 17
24. MARCH 28, 2011
REPORT No. IG-11-017
OFFICE OF AUDITS
OFFICE OF INSPECTOR GENERAL
ADDITIONAL COPIES
Visit http://oig.nasa.gov/audits/reports/FY11/ to obtain additional copies of this report, or contact the
Assistant Inspector General for Audits at 202-358-1232.
COMMENTS ON THIS REPORT
In order to help us improve the quality of our products, if you wish to comment on the quality or
usefulness of this report, please send your comments to Mr. Laurence Hawkins, Audit Operations
and Quality Assurance Director, at Laurence.B.Hawkins@nasa.gov or call 202-358-1543.
SUGGESTIONS FOR FUTURE AUDITS
To suggest ideas for or to request future audits, contact the Assistant Inspector General for Audits.
Ideas and requests can also be mailed to:
Assistant Inspector General for Audits
NASA Headquarters
Washington, DC 20546-0001
NASA HOTLINE
To report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or
800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L’Enfant
Plaza Station, Washington, DC 20026, or use http://oig.nasa.gov/hotline.html#form. The identity of
each writer and caller can be kept confidential, upon request, to the extent permitted by law.