The US Pentagon Has Numerous Security Gaps

Uploaded on 2019-01-23 in GOVERNMENT-Defence, FREE TO VIEW, NEWS-Cybersecurity News

The Pentagon has 266 cyber security exposures and vulnerabilities that have not been attended to or secured in recent years. These significant problems in the Pentagon’s IT electronic systems have put the Pentagon at risk of hacks and data theft.

The Defense Department published the report on January 9th and it reveals thet a number of these issues have been a problem for a least 10 years.

However, the Defence Dept.’s IT Auditors also found that other areas of the IT systems had been security and penetration tested and were working very well.

But for more than a decade old, there remains unaddressed IT issues that should have been addresses in the Defense Department’s networks, according to the Defence Department’s Internal ombudsmen. These 266 cyber insecurities had already been highlighted in a number of reports between July 2017 and June 2018 and some of these IT problems go back over a decade to 2008. 

The Auditors said that a lot of the problems are because the IT and cyber monitoring and management policies were not very effective. 

The unclassified reports identified improvements in the asset management, information protection processes and procedures, identity management and access control, and security continuous monitoring. The DoD has taken action to strengthen its cybersecurity posture by implementing actions to address 19 of the 159 recommendations made in those reports. In particular, the DoD needs to continue focusing on managing cybersecurity risks related to governance, asset management, information protection processes and procedures, identity management and access control, security continuous monitoring, detection processes, and communications. 

The largest number of weaknesses identified in this year’s summary were related to governance, which allows an organisation to inform its management of cybersecurity risk through the policies, procedures, and processes to manage and monitor the organizations regulatory, legal, risk, environmental, and operational requirements.

Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems.”

The auditors explain that a series of issues have been ignored and have not been tackled over the previous years. The department, has not done enough to comply with the cybersecurity framework developed by the National Institute of Standards and Technology. The Defense Contract Management Agency has not properly trained its cyber specialists so that they receive the required certifications.

“Without adequate controls … the department cannot ensure that all of its systems, devices, personnel, and vulnerabilities are identified and manages,” auditors wrote.

The Defence Department is now begun work to upgrade all IT systems so as to assist the Agency when it needs to address cyber threats and attacks. This not a subject that only effects the US Department of Defence and if other governments did an independent audit of their IT systems they would also fine significant issues that have not been addressed. 

News By CSI:

You Might Also Read:

Pentagon Weapons Systems Vulnerable To Cyber-Attacks:

« New British Cyber Security Centre
What Financial Services Executives Need to Know About Data-Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

Granite Partners

Granite Partners

Granite is a cloud service for the development of business risk management, cyber security and privacy and occupational safety and health.

ABB

ABB

ABB is a pioneering technology leader in industrial digitalization. Services include cyber security for industrial control systems IoT.

Turkish Accreditation Agency (TURKAK)

Turkish Accreditation Agency (TURKAK)

TURKAK is the national accreditation body for Turkey. The directory of members provides details of organisations offering certification services for ISO 27001.

Innova

Innova

Innova is Turkey's leading IT solutions company, providing platform independent solutions to organizations in telecommunication, finance, production, public and service sectors.

Nemko

Nemko

Nemko offers testing, inspection, and certification services worldwide, mainly concerning products and systems, but also for machinery, installations, and personnel.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Cryptoloc

Cryptoloc

Cryptoloc's core business is developing solutions designed to protect businesses from all kinds of security threats using a unique patented cryptography.

Wavex Technology

Wavex Technology

Wavex Technology is an award winning IT Services firm offering clients a secure and fully managed IT service.

Automation Workz

Automation Workz

Automation Workz has been ranked as a top 10 Cybersecurity Bootcamp in the US by Career Karma.

Balance Theory

Balance Theory

Balance Theory provides the knowledge infrastructure and collaboration center for the cybersecurity community. A networked community to build better cybersecurity outcomes.

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center is a state-of-the-art facility to deliver advanced cyber training programs and build the next generation of Azerbaijan’s cybersecurity professionals.

RealDefense

RealDefense

RealDefense develops and markets various privacy, security and optimization technologies and services for consumers and small businesses.

NoviFlow

NoviFlow

NoviFlow is a leading provider of terabit networking software solutions for Communication Service Providers (CSPs).

Beaming

Beaming

Beaming is an established Internet Service Provider for businesses across the UK. We deliver reliable voice, data and managed services, including cybersecurity.

Forensic IT

Forensic IT

Forensic IT is a specialised cyber security firm with expertise in Digital Forensics and Incident Response (DFIR).