A security audit of the US ballistic missile system carried out by the US Department of Defense Inspector General (DOD IG) has revealed a range of severe security issues. The report was conducted in response to a congressional requirement to audit the controls available to protect BMDS technical information, whether managed by cleared Defense contractors, or by the Government.
The conclusion of the conducted analysis is quite troublesome, stating that “the Army, Navy, and MDA did not protect networks and systems that process, store, and transmit BMDS technical information.”
Shortly said, the missile system is lacking basic security measures including proper multifactor authentication, antivirus software, data encryption. To top these off, the report found out that some of the unpatched vulnerabilities are 28-years-old.
Lack of Multifactor Authentication, Numerous Unpatched Flaws
According to the report, the most troubling issue is the one regarding multifactor authentication. Typically, new MDA (Missile Defense Agence) employees receive a username and password needed for BMDS’s networks. They are also provided with the so-called common access card (CAC) which should be enabled and used together with a password and a second-factor authentication method. The problem is that in three out of five inspected locations employees hadn’t enabled multifactor authentications for their accounts, and were only applying usernames and passwords for access to the BMDS’ network.
What does this lack mean? It leaves employees and systems prone to phishing attacks aiming to collect passwords and allowing threat actors to access the systems.
To top that off, some of the systems were found to be vulnerable, with missing patches for security flaws dating back to 1990! Others were discovered and fixed in 2013 and 2016, but no patches were applied, leaving the systems open to attack. It should be noted that the report is heavily redacted in this particular part, meaning that the flaws are still being fixed as we speak.
The security recommendations that address all the issues include:
- using multifactor authentication;
- mitigating vulnerabilities in a timely manner;
- protecting data on removable media;
- implementing intrusion detection capabilities.
Previous Reports Discovered Issues in Federal Agencies, Marine Corp Websites
Another report that was released in the summer, titled “Federal Cybersecurity Risk Determination Report and Action Plan”, highlightedthe cybersecurity inadequacy of U.S. federal agencies.
Shortly said, the report discovered that there is little situational awareness, few standard processes for reporting or managing attacks and almost no agencies appropriately carrying out even basic encryption. According to the OMB, the current federal state of cybersecurity is “untenable”. More particularly, as much as three quarters of federal agencies have highly insufficient cybersecurity programs with significant security gaps. Some of the programs are rated as “at risk” while others are “high risk” where fundamental processes are lacking.
What is more, in October, as much as150 vulnerabilities were discovered by white hat hackers in US Marine Corp websites and related services. The vulnerabilities were uncovered during a bug bounty program called “Hack the Marine Corps”, organized by the US Department of Defense and HackerOne. More than 100 ethical hackers attended the event.