After a security audit by the Department of Defense Inspector General multiple cybersecurity flaws in U.S Ballistic Missile Defense Systems (BMDS) were found. The BMDS stores missiles for defense against short and intermediate ranged missile attacks against the U.S.
The report now mostly redacted issued last week, stated that the classified networks were vulnerable to both internal and external threats. There were security holes present in the processes, storage, and transmission of both classified and unclassified technical information; related to military/space research, engineering drawings, algorithms, technical reports, and source codes. This information was left unencrypted and encryption was not enforced by officials.
The report stated the following:
“We determined that officials from the———– did not consistently implement security controls and processes to protect BMDS technical information”
There was a lack of basic security practices present from unlocked server racks, unpatched systems, and lack of multifactor authentication in several locations. Server racks were left unlocked and accessible to anyone walking by. One location had a sign posted saying the ‘server door must remain locked at all times’, but was still left unlocked. Further, basic guidelines were unknown to data center managers.
One data center manager said,
“He was not aware of the requirement to secure the server racks and keys but considered the existing security protocols to be sufficient because the limited who had access to the data center.”
Auditors also found that many users did not have multifactor authentication enabled and were using only a username and password to get into the networks. Although, procedures state that all new MDA employees must use multifactor authentication within two weeks of being hired, three out of five inspected locations did not follow them. BMDS systems were also left unpatched by IT administrators; leaving computers and networks vulnerable to both remote and local threats. Many of these unpatched vulnerabilities had patches available going back over two decades including 2016, 2013, and even 1990.
The report also said:
“Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.”
It is also important to note that this report does not paint a clear picture of all BMDS locations, the audit was done on five out of 104 facilities. Lamat Bailey, Director of security research and development commented saying: “[The report] shows results for the facilities visited broken down into weaknesses in the seven areas audited. Only one audit hit all five locations and this dealt with justification for access. Five of the weaknesses say they were not “consistently” used but this can apply to “administrative, facility, a lab or both” so they may not apply to the networks with the defense/offense controls.
Image credits: DOD MDA
It is crucial for organizations to regularly audit their systems for a full review of best guidelines and practices, contact LIFARS for a Gap Analysis Solutions.