The U.S. National Aeronautics and Space Administration (NASA) has identified more than 6,000 cyber-related incidents in the last four years, according to a report published by NASA’s Office of Inspector General.
The agency has a large surface of attack due to the presence of approximately 3,000 websites and more than 42,000 publicly accessible datasets. The audit conducted by NASA’s inspector general revealed that the agency has more than 4,400 applications, over 15,000 mobile devices, roughly 13,000 software licenses, nearly 50,000 computers, and a 39,000 Tb of data.
“Cyber incidents at NASA can affect national security, intellectual property, and individuals whose data could be lost or compromised. In cybersecurity, an attack vector is a path or means by which an attacker gains unauthorized access to a computer or network, for example, through email, websites, or external/removable media. Once an attacker gains access, they can exploit system vulnerabilities, gain access to sensitive data, install different types of malware, and launch cyber-attacks” reads the report published by the NASA’s Office of Inspector General.
Cyber attacks against the agency’s systems are not rare events, threat actors could attempt to steal critical information with sophisticated operations, and for this reason, it is essential for the agency to detect and mitigate them.
The Agency identified 1,785 cyber incidents in 2020, including brute-force attacks, email-related attacks, impersonation attacks, improper usage of the systems, loss/theft of equipment, and web-based attacks.
In 2020, most of the incidents were improper usage issues, followed by loss/theft of equipment and web-based attacks.
“The cyber threat to NASA’s computer networks from internet-based intrusions is expanding in scope and frequency, and the success of these intrusions demonstrates the increasingly complex nature of cybersecurity challenges facing the Agency. Simply put, to date the Agency’s IT security processes too often have been ineffective in staying ahead of the dynamic threat landscape.” continues the report.
Below the list of findings emerged from the report:
Among the significant findings:
• The Chief Information Officer (CIO) has struggled to implement an effective IT governance
structure that aligns authority and responsibility with the Agency’s overall mission.
• NASA lacked an Agency-wide risk management framework for information security and an
information security architecture.
• Pervasive weaknesses exist in NASA IT internal controls and risk management practices.
• The Security Operations Center lacks visibility and authority to manage information security
incident detection and remediation for the entirety of NASA’s IT infrastructure.
• NASA’s cybersecurity program remained ineffective at a Level 2 out of 5 (Federal Information
Security Modernization Act rating)—meaning the Agency has issued, but has not consistently
implemented, policy and procedures defining its security program.
• NASA is not adequately monitoring and enforcing the business rules necessary for granting
Mobile Device Management access to its network.
(SecurityAffairs – hacking, National Aeronautics and Space Administration)