Audit Finds Cyber Vulnerabilities In US Missile Defense System

The Army, Navy and Missile Defense Agency are failing to take basic cybersecurity steps to ensure that information on America’s ballistic missile defense system won’t fall into nefarious hands, according to a Defense Department Inspector General audit released in December.

Investigators visited five sites that manage ballistic missile defense elements and technical information, but the names of the commands were redacted in the publicly released report.

“The Army, Navy and MDA did not protect networks and systems that process, store, and transmit (missile defense) technical information from unauthorized access and use,” the declassified report states.

Such inadequacies “may allow US adversaries to circumvent (missile defense) capabilities, leaving the United States vulnerable to missile attacks,” the report states.

They found officials failed to employ safeguards familiar to most people online in 2018, the latest development to raise questions about the U.S. military’s cybersecurity vulnerabilities.

Among the shortcomings: Administrators for classified networks had no intrusion detection and prevention systems in place to watch for cyberattacks, much less stop them, according to the report.

At one site, officials said they had requested to purchase those cyber safeguards in December 2017 but nine months later it still hadn’t been approved.

“Without intrusion detection and prevention capabilities, (the site) cannot detect malicious attempts to access its networks and prevent cyberattacks designed to obtain unauthorised access and exfiltrate sensitive (missile defense) technical information,” the report states.

Officials also failed to patch system flaws after receiving vulnerability alerts, one of which had first been identified in 1990 and had still not been fixed by April.

Another vulnerability that could be exploited by an attacker was first identified in 2013 but also was never patched, according to the report.

“Countless cyber incident reports show that the overwhelming majority of incidents are preventable by implementing basic cyber hygiene and data safeguards, which include regularly patching known vulnerabilities,” the IG report states. “(Missile defense) technical information that is critical to national security could be compromised through cyberattacks that are designed to exploit these weaknesses.”

Some facilities failed to force employees to use common access cards, or CAC, when accessing the classified system, a basic cybersecurity practice known as multi-factor identification.

Instead, officials were able to access the sensitive information using just a username and password, the report states.

Hackers use phishing and other tactics to exploit passwords and gain access to such systems.

New hires are supposed to be allowed network access without a card for only their first two weeks on the job. But IG investigators found users on the systems without CAC cards for up to seven years.

At one site, a domain administrator never configured the network to allow only CAC holder access.

“Allowing users to access networks using single factor authentication increases the potential that cyber attackers could exploit passwords and gain access to sensitive (missile defense) technical information,” the report states.

Investigators also found unlocked server racks at some locations, another key vulnerability to insider snoopers.

“The insider threat risk necessitates that organisations implement controls…to reduce the risk of malicious personnel manipulating a server’s ability to function as intended and compromising sensitive and classified data,” the report states.

External storage devices held unencrypted data and some sites failed to track who was accessing data, and why. Other administrators told investigators that they lacked the ability to record or monitor data downloaded from the network onto these devices.

Unless these officials enforce the encryption of such removed data and monitor its downloading and transferring, “they will be at increased risk of not protecting sensitive and classified (missile defense) technical information from malicious users,” the report states.

Investigators also found that some supposedly secure sites were failing to even lock their doors. One location had a security door that hadn’t worked for years.

“Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorised personnel from gaining unauthorized access to the facility,” the report states.

Other sites featured no security cameras to monitor personnel movement and security officers failed to conduct badge checks.

While the report makes recommendations to fix the documented problems, officials for the inspected agencies offered no comments on the non-classified draft report of the audit.

Friday’s scathing IG audit marked the latest in a string of reports detailing shoddy cybersecurity throughout the armed forces and defense contractors.

During the same week, the Wall St. Journal reported that Chinese hackers are targeting military systems and those of defense contractors working on Navy projects.

Beijing-linked cyber raids have attempted to steal everything from missile plans to ship-maintenance data in a series of hacks over the past 18 months, the Journal reports.

As a result, Navy Secretary Richard Spencer has ordered a “comprehensive cybersecurity review” to assess if the Navy’s cyber efforts “are optimally focused, organised, and resourced to prevent serious breaches,” spokesman Capt. Greg Hicks said.

The review will also look at authorities, accountability and if the efforts reflect and incorporate government and industry best practices, he said.

“Secretary Spencer’s decision to direct a review reflects the serious to which the DoN prioritises cybersecurity in this era of renewed great power competition,” Hicks said.

Navy Times:

You Might Also Read:

Chinese Hackers Steal Naval Warfare Secrets

 

« Women In Cyber Take The Spotlight
The US Is Buying Phone Hacking Tools For Ghana’s Police »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Pen Test Partners LLP

Pen Test Partners LLP

Pen Test Partners provides penetration testing, security assessment and training services.

Malware.lu

Malware.lu

Malware.lu is a repository of malware and technical analysis. The goal of the project is to provide samples and technical analysis to security researchers.

Freshfields Bruckhaus Deringer

Freshfields Bruckhaus Deringer

Freshfields Bruckhaus Deringer is a global law firm with a track record of successfully supporting the world's leading corporations, financial institutions and governments.

Cyber Indemnity Solutions (CIS)

Cyber Indemnity Solutions (CIS)

CIS is an InsurTech company focused on licensing innovative cyber risk insurance solutions to the global insurance industry.

Dcoya

Dcoya

Dcoya's complete security awareness training program gives you out-of-the-box compliance with PCI-DSS, HIPAA, SOX and ISO regulations.

Mission Secure (MSi)

Mission Secure (MSi)

MSi is a specialized provider of next generation cyber defense solutions protecting control systems and critical physical assets in energy, transportation and defense.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

US Venture Partners (USVP)

US Venture Partners (USVP)

USVP is a leading Silicon Valley venture capital firm focusing on early-stage start-ups that transform cybersecurity, enterprise software, consumer mobile and e-commerce, and healthcare.

SOFTwarfare

SOFTwarfare

SOFTwarfare deliver high-quality, reliable and secure enterprise application integrations through RESTful APIs for Cyber, Ops & Dev.

Sovereign Intelligence

Sovereign Intelligence

Sovereign Intelligence provides automated insight into the relative intensity of hidden Cyber, Brand, and Financial Risks to your company.

RNTrust

RNTrust

RNTrust provide solutions to meet today’s digital challenges utilizing digital technologies and services to make you more secured in digitally connected environment.

Fortify 24/7

Fortify 24/7

Fortify 24×7 provides a robust portfolio of managed cybersecurity solutions to help you identify and prevent attacks.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

NexGen Cyber

NexGen Cyber

NexGen Cyber helps customers in commercial SMB markets with IT security, security integration, service management, outsourced service transition, and transformative security solutions.

Diversified Search Group - Alta Associates

Diversified Search Group - Alta Associates

Diversified Search Group is an industry leader in recruiting diverse, inclusive and transformational leadership for clients.

Semgrep

Semgrep

Semgrep is a fast, open-source, static analysis tool for profoundly improving software security and reliability.