Not only do companies need to secure worker’s systems, they need to also keep an eye on contractors’ hardware.
A perfect case in point comes from the National Oceanic and Atmospheric Administration as satellite data ended up stolen from a contractor’s personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report.
This is but one of the “significant security deficiencies” that pose a threat to NOAA’s critical missions, the report said.
Other weaknesses include unauthorized smartphone use on key systems and thousands of software vulnerabilities.
The July 15 report made public Friday concentrates on information technology security problems at NOAA’s National Environmental Satellite, Data, and Information Service. NOAA is part of the Commerce Department.
During the 2013 incident, “an attacker exfiltrated data from a NESDIS system to a suspicious external IP address via the remote connection established with a personal computer,” said Allen Crawley, Commerce’s assistant IG for systems acquisition and IT security.
NOAA determined the PC likely suffered from a malware infection, but it was prevented from examining further because “the owner of the personal computer, even though a NESDIS contractor, did not give NOAA permission to perform forensic activities on the personal computer,” Crawley said.
The inspector general cited this case as an example of why it’s a bad idea — and a violation of Commerce policy — for any personnel to access NOAA information systems using personal computers. In response to a draft report, NOAA officials noted the system in question was not a “high-impact” system.
The report, however, also focused on vulnerabilities to high-impact systems related to weather satellites, such as the Polar-orbiting Operational Environmental Satellites and Geostationary Operational Environmental Satellites.
Unauthorized smartphone and thumb drive use ended up detected on 41 percent of components in systems supporting POES; 36 percent of GOES support systems; and 48 percent of components in the Environmental Satellite Processing Center, a system that handles data received from the satellites.