cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flyslinger2
Community Champion

Keep an eye on the moon - NASA fails security inspection

I suspect the mentality is "we are a research organisation we don't have to play by the rules" and it permeates from the top clear down to the maintenance staff.  

 

Maybe their funding should be stopped until they get a passing grade!?!?

6 Replies
Cousy14
Newcomer II

clearly NASA is 'over the moon' about information security -- lol

emb021
Advocate I

Yeah, well, similar attitude I saw when I worked with engineers and developers at a major multi-national.  They all thought as they were "technical" people that a) they should get admin access to their systems and b) they were creative people and security just got in their way of doing their job.

 

When I work with clients in other industries, I see the same thing.  In medical field, security "gets in the way" of doing whatever job they are doing, being creative, etc.  Or security is "IT's responsibility", not theirs...

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Flyslinger2
Community Champion


@emb021 wrote:

Yeah, well, similar attitude I saw when I worked with engineers and developers at a major multi-national.  They all thought as they were "technical" people that a) they should get admin access to their systems and b) they were creative people and security just got in their way of doing their job.

 

When I work with clients in other industries, I see the same thing.  In medical field, security "gets in the way" of doing whatever job they are doing, being creative, etc.  Or security is "IT's responsibility", not theirs...


My current customer is a DoD research group and same thing applies. Thankfully they were commanded to make IA happen so now they are dragging their feet and kicking pebbles trying to obstruct but at least it is moving forward.

JoePete
Advocate I


@emb021 wrote:

When I work with clients in other industries, I see the same thing.  In medical field, security "gets in the way" of doing whatever job they are doing, being creative, etc.  Or security is "IT's responsibility", not theirs...


Yes, very much a prevalent hurdle we security folks face. I've come to the conclusion/approach that more than anything this indicates how security/quality was not integrated from the beginning. It can help deflect the issue from "the problem is you" to "Hey, I need your help in fixing something that has been screwed up from the start." Organizationally, we should be integrating quality (I look at security as a function of quality) from the beginning in any process or role. Instead, we often sacrifice quality in order to capture market share. That's the tendency today - nearly every business model demands a certain scale to succeed. We no longer have the "start small, do it right, and build from there" model. The early days of NASA were all about working the problem (and even then we had some notable failures) but today, too many engineers, of any sort have been raised on the attitude of "we'll fix that with 2.0" Ask Boeing how that's going ....

rslade
Influencer II

> Flyslinger2 (Community Champion) posted a new topic in Industry News on

> I suspect the mentality is "we are a research organisation we don't have to play
> by the rules" and it permeates from the top clear down to the maintenance
> staff.     Maybe their funding should be stopped until they get
> a passing grade!?!?

You think you're funny, but you're not.

I'm a bit surprised that it's fallen so far. (Then again, I taught NASA some years
back. So maybe I'm not ...) A friend used to be in charge of NASAs networks, and
he told us, one time, that they were paranoid[1] about security and intrusions.
That was because, every time *any* NASA machine got hacked (even if it just the
inventory machine for the gift shop), NASA's budget dropped $10M.




[1] - How paranoid? Well, when they first wanted to test out this new thing called
the Internet (actually, it wasn't called the Internet yet), they set up a machine,
connected it to the outside connection via an RS-232 cable that had had the
"transmit" pin sheared off, so that it couldn't leak anything. They sent out a
ping, to test it--and got a response.

OK, how do you get a response if you can't transmit? In those days you had *full*
TCP/IP networking on pretty much all machines. So their test machine, trying to
transmit on the outbound connection, got no response, so it started the
networking thing. Found a local network, and, lo and behold, there was another
machine on the LAN that had TCP/IP, so it rewrote the routing tables and
transmitted via it. (This other machine belonged to a researcher who,
unbeknownst to the network guys, had an account with a local univerity, and
happened to be online via modem at the time the test was done.) (TCP/IP is
*really* robust.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The countries that out-educate today will out-perform in the
future. - Jack Markell
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> emb021 (Newcomer III) posted a new reply in Industry News on 03-19-2019 05:20 PM

>   They all thought as they were "technical" people
> that a) they should get admin access to their systems and b) they were creative
> people and security just got in their way of doing their job.

Possibly so. I have *way* too many "NASA" stories for the brief time I spent
teaching them. And remember: I was, literally, teaching "rocket scientists" ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
He has achieved success who has lived well, laughed often, and
loved much; who has enjoyed the trust of pure women, the respect
of intelligent men, and the love of little children; ... whose
life was an inspiration, whose memory a benediction.
- Bessie Anderson Stanley, competition entry to define Success
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468