Interesting article from SC Magazine:
IG scolds NOAA on security deficiencies, recommends fixes
The security climate is in need of change at the National Oceanic and Atmospheric Administration (NOAA) after a report from the Office of the Inspector General in the Department of Commerce found “significant security deficiencies” — amounting to thousands of vulnerabilities — threaten its mission critical systems.
Specifically, the report on the IG's audit of NOAA called out the agency for having its information systems connected to National Environmental Satellite, Data, and Information Service (NESDIS) critical satellite ground support system which it says “increases the risk of cyber attacks.”
“The Polar-orbiting Operational Environmental Satellites' (POES') and Geostationary Operational Environmental Satellites' (GOES') mission-critical satellite ground support systems have interconnections with systems where the flow of information is not restricted, which could provide a cyber attacker with access to these critical assets,” said the report, echoing security professionals who have always pegged the transitive trust between the systems that run the business and the infrastructure systems as a point of vulnerability.
After reviewing selected Windows components on four NESDIS systems, the Inspector General concluded that “inconsistent implementation of mobile device protections” boosted the probability of malware infection, primarily because unauthorized devices had been connected to critical systems and because GOES and the Environmental Satellite Processing Center (ESPC) didn't take steps to make sure that the Windows AutoRun feature was consistently disabled. Nearly half, 48 percent, of the ESPC's components — and 36 percent of GOES's — were accessed by unauthorized smart phones and thumb drives.
Ouch! More at the article - these are absolute basic security techniques and for them not to be implemented shows a disconnect. A perfect example of a Cyber Dunning-Kruger effect.
From the link:
Dunning and Kruger proposed that, for a given skill, incompetent people will:
-
- tend to overestimate their own level of skill;
- fail to recognize genuine skill in others;
- fail to recognize the extremity of their inadequacy;
- do recognize and acknowledge their own previous lack of skill, if they are exposed to training for that skill.
The scientists at NOAA are not stupid people but they are only trained for specific areas of knowledge. Computer Data Security does not fall into those areas but they think that they are smart enough to implement their security measures. Epic Fail!
Graduate-level programs should have two quarters of mandatory networking and security classes.
Leave a comment