REG NASA-LLIS-1250-2002 Lessons Learned Network Security Reduction of Vulnerabilities Penetration Exercises.pdf

1、Lessons Learned Entry: 1250Lesson Info:a71 Lesson Number: 1250a71 Lesson Date: 2002-06-17a71 Submitting Organization: HQa71 Submitted by: David LengyelSubject: Network Security/Reduction of Vulnerabilities/Penetration Exercises Description of Driving Event: Terrorist attacks of 9/11 have reinforced

2、the need to protect NASA network and communications resources from intrusion.Lesson(s) Learned: The terrorist attacks on September 11 emphasized the need for increased security of all national assets including NASAs computer systems. Since many of these systems safeguard the lives of astronauts and

3、cosmonauts and the safety of valuable international assets, it is crucial that security vulnerabilities be fully understood and closely managed.Recommendation(s): Accelerate the schedule of penetration exercises to gain greater insights into computer security vulnerabilities; determine if further th

4、reat analysis should be conducted; review all vulnerabilities; and ensure that plans are adequately formulated to mitigate these vulnerabilities and that work is proceeding to prevent critical systems from being compromised. Accelerate the schedule for the implementation of triple Data Encryption Sy

5、stem (DES). Evidence of Recurrence Control Effectiveness: The Agency and Center IT security program is a risk-based management and acceptance process. The program continues to evolve to incorporate and facilitate tools and metrics for greater insight into security vulnerabilities. Currently the Cent

6、ers perform quarterly vulnerability scans and metrics that are reported to the Agency. The vulnerabilities found are reviewed and worked through a defined process. Mission Critical systems external interfaces such as those of the JSC Mission Provided by IHSNot for ResaleNo reproduction or networking

7、 permitted without license from IHS-,-,-Control Center with the JSC Institutional Network are included in these quarterly assessments. We will continue to work to improve this process and capability as new technologies and tools become available. The change to incorporate the triple DES has been neg

8、otiated with the contractor; a probabilistic risk assessment associated with losing S-band communications is being conducted prior to Program implementation. Documents Related to Lesson: N/AMission Directorate(s): a71 Exploration Systemsa71 Sciencea71 Space Operationsa71 Aeronautics ResearchAddition

9、al Key Phrase(s): a71 Aerospace Safety Advisory Panela71 Communication Systemsa71 Computersa71 Policy & Planninga71 Risk Management/Assessmenta71 SecurityAdditional Info: Approval Info: a71 Approval Date: 2002-06-27a71 Approval Name: Bill Loewya71 Approval Organization: HQa71 Approval Phone Number: 202-358-0528Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-