NASA loses $7 million to repeat breaches

Powered by SC Magazine
 

Agency reveals scorching security report.

NASA suffered 5000 "security incidents" including major state-sponsored breaches which cost the organisation more than $7 million and disrupted mission operations. 

Inspector general Paul Martin said in a statement (pdf) some of the breaches in the last two years "may have been sponsored by foreign intelligence services seeking to further their countries' objectives".

Other hacks he said were perpetrated by "individuals testing their skill" and "well-organised criminal enterprises hacking for profit".

“Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million ($A6.5m),” Martin said.

He said it was the victim of 47 advanced persistent threat attacks last year, 13 of which successfully compromised agency computers.

More than 150 NASA staff credentials were stolen in a single attack.

"Our ongoing investigation of another such attack at JPL involving Chinese-based internet protocol addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts.”

A December 2010 audit found computers and hard drives loaded with sensitive NASA data, including one "subject to export control restrictions", were being sold or prepared for sale

NASA also reported the loss or theft of 48 agency mobile computing devices, some of which resulted in the unauthorised release of sensitive data.

Martin said an unencrypted NASA notebook computer stolen in March last year contained algorithms used to command and control the International Space Station.

“Moreover, NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files,” he said.  

Challenges

Of NASA's annual $1.5bn  IT spend, approximately $58m was designated for security, according to Martin.

He said the agency's five most pressing security concerns were a lack of awareness of security posture; shortcomings in implementing continuous monitoring of security; the slow pace of encryption for mobile devices; defending sophisticated attacks, and the transition to cloud computing.

And while the chief information officer (CIO) is tasked with developing security policies and implementing an agency-wide programme, Martin admits they have a "limited ability" to force NASA's directorates to implement changes.

He said IT staff were responsible for implementing security controls on mission IT assets and report to the mission directorate and not the CIO. This meant the CIO did not have the authority to ensure that NASA's IT security policies are followed across the agency.

Martin further highlighted a lack of effective IT security within those directorates.

He said less than a quarter of applicable computers on a mission network were monitored for critical software patches.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


NASA loses $7 million to repeat breaches
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1094

Vote