Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/18/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

US Ballistic Missile Defense System Riddled With Security Flaws

An Inspector General's report concerning the Defense Department's Ballistic Missile Defense System found numerous security flaws, including a lack of multi-factor authentication and classified information stored on removable drives.

A report by the Defense Department's Inspector General found that the US Ballistic Missile Defense System is riddled with security problems, which include both cybersecurity issues, as well as a host of physical security issues.

The report, "Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information," was published December 10 and released this week in a public document that includes numerous redactions to shield classified information.

This report stems from testimony that the Director of the Missile Defense Agency (MDA) gave to Congress in 2016, expressing concern about access to technical information about the Ballistic Missile Defense System (BMDS).

(Source: iStock)
(Source: iStock)

In turn, following a two-year investigation, the Inspector General issued two reports about security within BMDS facilities -- the one released this week and an earlier document published in March.

The report also follows an examination by the US Government Accountability Office that found that Pentagon's most advanced weapons systems were vulnerable to cyber attacks. (See GAO: Pentagon's New Weapons Systems Vulnerable to Cyber Attacks.)

This new report paints a disturbing picture of cybersecurity practices with the Pentagon's complex BMDS, including a lack of two-factor authentication to access classified information, technical details stored on removable devices and the need for greater intrusion detection capabilities.

Cybersecurity is also only one of many problems with BMDS.

The report finds that security officers at various facilities did not always limit unauthorized access to physical BMDS details and documents. In addition, when inspecting five different facilities, the officials found that server racks were left unlocked and that the data center manager did not always have the keys.

The document notes:

The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks. Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.

To put into perspective what is at stake, Ballistic Missile Defense System is what the Defense Department calls a "layered" architecture that gives the Pentagon several different opportunities to destroy incoming missiles and nuclear warheads before they reach targets.

BMDS is made up of numerous sensors on the ground, at sea and in space for detecting a tracking ballistic missiles; interceptor missiles for destroying ballistic missiles; and management and communications network that links all the parts together.

With the scope of the BMDS in the background, it makes the lack of cybersecurity protections within these various facilities, as well as the responsibility of the Army and Navy for IT security, particularly unnerving.For example, the Inspector General found that even though the Defense Department required the use of multi-factor authentication, those working within BMDS used single-factor authentication, such as username and password, to access information instead of being required to have a Common Access Card (CAC) or an RSA token.

While it can take two weeks to obtain a CAC or RSA token, the report found 34 different incidents when someone continued to access data using only the single-factor method. One person was able to access information for more than seven years using the less secure single-factor method.

Additionally, the Inspector General found that software patches to protect against vulnerabilities were not always applied, including for flaws that were listed as high or critical.

The report offers a series of recommendations that would seem more tailored for a mid-level enterprise than one of the most complex weapons systems on Earth, but these guidelines can cutdown on several security holes within an facility, whether government or private.

These include:

  • Enforcing multi-factor authentication to access systems that process, store and transmit technical information or obtain a waiver directly from the CIO
  • Plan and patch software vulnerabilities when they become known to the IT staff
  • Encrypt technical information that is stored on removable media and devices
  • Close the gaps in physical security, including the use of security cameras to track personnel throughout the facility

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41163
PUBLISHED: 2021-10-20
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discour...
CVE-2021-42299
PUBLISHED: 2021-10-20
Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
CVE-2021-42771
PUBLISHED: 2021-10-20
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
CVE-2021-42764
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain.
CVE-2021-42765
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions).