NASA has admitted that it experienced greater than 5,000 cyber security incidents which led to the installation of malicious software and the theft of "export-controlled" and otherwise sensitive data.
In a printed statement, Paul K. Martin, inspector general of NASA, said a few of the breaches in 2010 and 2011 "could have been sponsored by foreign intelligence services looking to further their countries' objectives".
He said: “These incidents spanned a large continuum from individuals testing their skill to damage into NASA systems, to well-organised criminal enterprises hacking for profit, to intrusions which can was sponsored by foreign intelligence services trying to further their countries' objectives.
“Some of those intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and led to the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of greater than $7m.â€
Martin also said that it was the victim of 47 advanced persistent threat attacks last year, 13 of which successfully compromised Agency computers. Martin said: “In one of several successful attacks, intruders stole user credentials for greater than 150 NASA employees. Our ongoing investigation of another such attack at JPL involving Chinese-based internet protocol addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts.â€
He also admitted that an audit in December 2010 found computers and difficult drives were being sold or prepared on the market, despite the fact that they still contained sensitive NASA data; one contained data "subject to export control restrictions".
Another audit (for between April 2009 and April 2011) saw NASA report the loss or theft of 48 Agency mobile computing devices, a number of which ended in the unauthorised release of sensitive data. Martin said the March 2011 theft of an unencrypted NASA laptop computer led to the lack of the algorithms used to command and control the International Space Station.
“Moreover, NASA cannot consistently measure the quantity of sensitive data exposed when employee notebooks are lost or stolen for the reason that Agency depends on employees to self-report in regards to the lost data in preference to determining what was stored at the devices by reviewing backup files,†he said.  Â
Martin also said that of NASA's annual $1.5bn IT spend, approximately $58m was designated for security. He also identified the five most serious challenges in protecting its information and systems from inadvertent loss or malicious theft as: loss of full awareness of Agency-wide IT security posture; shortcomings in implementing a continual monitoring strategy to IT security; slow pace of encryption for NASA laptop computers and other mobile devices; ability to combat sophisticated cyber attacks; and transition to cloud computing.
Martin pointed to the manager information officer (CIO) as being answerable for developing IT security policies and procedures and implementing an Agency-wide IT security programme, yet said the CIO has "limited ability to direct NASA's mission directorates to totally implement CIO-recommended or mandated IT security programmes".
He also said that IT staff are accountable for implementing security controls on mission IT assets and report back to the mission directorate and never the CIO â€" therefore the CIO doesn't have the authority making sure that NASA's IT security policies are followed around the Agency.
Other IT security failings were highlighted, with Martin claiming that mission directorates often lack effective IT security, and only 24 per cent of applicable computers on a mission network were monitored for critical software patches.
Nessun commento:
Posta un commento
Comments links could be nofollow free