NASA Inspector General Paul K. Martin today released an audit report evaluating how well NASA is protecting its Agency-wide mission computer network from Internet-based attacks. The Office of Inspector General (OIG) performed this audit because NASA has experienced a number of cyber intrusions over the past few years that have resulted in the theft of export-controlled and other sensitive data from its mission computer networks.

The OIG review found that six computer servers associated with information technology (IT) assets that control NASA spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers.

We recommended that NASA: (1) immediately identify Internet-accessible computers on their mission networks and take prompt action to mitigate identified risks and (2) continuously monitor Agency mission networks for Internet-accessible computers and take prompt action to mitigate identified risks. Finally, to help ensure that all threats and vulnerabilities to NASA’s IT assets are identified and promptly addressed, we recommended that NASA conduct an Agency-wide IT security risk assessment. The Agency concurred with our findings and recommendations.

The full report can be found on the OIG’s website at http://oig.nasa.gov/ under “Reading Room” or at the following link: http://oig.nasa.gov/audits/reports/FY11/IG-11-017.pdf