New report shows that NOAA's IT security program needs to be revised

Jul 30, 2014 01:59 GMT  ·  By

A report from the Department of Commerce regarding the security of National Oceanic and Administration Agency computer systems against cyber-attacks revealed significant deficiencies.

The results of the assessment showed that the information is not restricted in any way between the networks of Polar-orbiting Operational Environmental Satellites (POES) and Geostationary Operational Environmental Satellites (GOES) projects, which would allow a potential attacker access to critical data.

These are part of National Environmental Satellite, Data, and Information Service (NESDIS), which offers access to global environmental information from satellites and other sources for protecting and improving US economy and security.

Lack of strong policies regulating the use of mobile devices, which are potential carriers of malware, on the NESDIS computers is another weakness that can be leveraged by an attacker for an intrusion.

In particular, it has been discovered that unauthorized mobile devices had been connected to the workstations of different projects.

“Mobile devices can carry malware that, when plugged into a workstation or server, could execute malicious code residing on the device and lead to a compromised system. Accordingly, there has been a long-standing requirement that agencies restrict the use of mobile devices.”

“Implementing required mobile device security mechanisms helps prevent the spread of malware and limits the risk of a compromise of critical assets. Further, mobile devices are one of the means by which an attacker can access and compromise a system with restricted interconnections, such as NESDIS’ satellite ground-support systems POES and GOES,” says the report.

Additionally, on some of the systems, Windows AutoRun feature was not disabled, which is considered a significant security risk since malicious code can be automatically executed from a removable device once plugged in.

It appears that NESDIS fails to implement fundamental security requirements, such as applying patches for vulnerabilities, enforcing security measures for the remote access mechanism or adding safe configuration settings control on IT systems (operating systems, database and web servers).

Briefly put, NESDIS computers are plagued by high-risk vulnerabilities, there is no two-factor authentication for remote access or a restriction for using personal computers for logging in remotely, so adopting security-conscious practices, like the use of strong passwords instead of the ones delivered by default with the software installed, would be the best way to go.

Additional problems refer to assessments of National Weather Service (NWS) computer systems, provided by an independent entity that can offer an unbiased opinion about the security posture of the agency.

The report found that the current entity in charge of the security evaluation did not fulfill its job at the required parameters, and that 47% of the control assessments contained inadequacies that did not offer an accurate implementation status of the system’s security controls.

A draft report was sent to NOAA, which agreed with some of the findings and proceeded to take remediation actions.