The National Aeronautics and Space Administration (NASA) is pretty good at keeping Classified information away from falling into the wrong hands, but it’s not that good at labeling all of the right data as Classified.
This becomes a major problem because it puts many projects and information in jeopardy from insider attacks, says the latest report on the organization's state of cybersecurity, published by the NASA Office of Inspector General.
The “NASA’s insider threat program” report reveals that the “vast majority” of NASA technology is not labeled as Classified, including "high-value assets and critical infrastructure." Some of these assets include "sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information."
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
Labeling classified data
As these items are not labeled as Classified, they aren’t covered by the various defenses the organization deployed for its insider protection program.
Things wouldn’t be that bad if unclassified, but sensitive information, wasn’t abused every day. The auditor says in its report that the number of incidents, including the improper use of the organization’s IT systems, rose 343% in three years (from 249 in 2017, to 1,103 in 2020).
Of all these incidents, the most common problem was “failing to protect Sensitive but Unclassified (SBU) information”. Apparently, many NASA employees were sending each other unencrypted emails containing SBU data, Personally Identifiable Information (PII), or International Traffic in Arms Regulations data.
> Data Security: What is it? (opens in new tab)
> Data privacy is more important than ever in the age of remote work (opens in new tab)
> The ‘Great Resignation’ is a threat to cyber security (opens in new tab)
Another potential problem is frequent privilege elevation for the employees. In the last three years, NASA users made more than 12,000 requests for privilege elevation.
To better protect its data, the watchdog hints, NASA needs to reorganize informational security responsibilities. As things stand now, multiple teams are in charge of securing the organization's endpoints (opens in new tab), including the Office of Protective Services (OPS), and the Office of the Chief Information Officer (OCIO).
- Check out our list of the best firewalls (opens in new tab) right now
Via: The Register (opens in new tab)