US Ballistic Missile Defense System Riddled With Security Flaws

  /     /     /  
Publicated : 23/11/2024   Category : security


US Ballistic Missile Defense System Riddled With Security Flaws


An Inspector Generals report concerning the Defense Departments Ballistic Missile Defense System found numerous security flaws, including a lack of multi-factor authentication and classified information stored on removable drives.



A report by the Defense Departments Inspector General found that the US Ballistic Missile Defense System is riddled with security problems, which include both cybersecurity issues, as well as a host of physical security issues.
The report,
Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information
, was published December 10 and released this week in a public document that includes numerous redactions to shield classified information.
This report stems from testimony that the Director of the Missile Defense Agency (MDA) gave to Congress in 2016, expressing concern about access to technical information about the Ballistic Missile Defense System (BMDS).
(Source:
iStock
)
In turn, following a two-year investigation, the Inspector General issued two reports about security within BMDS facilities -- the one released this week and an earlier document published in March.
The report also follows an examination by the US Government Accountability Office that found that Pentagons most advanced weapons systems were vulnerable to cyber attacks. (See
GAO: Pentagons New Weapons Systems Vulnerable to Cyber Attacks
.)
This new report paints a disturbing picture of cybersecurity practices with the Pentagons complex BMDS, including a lack of two-factor authentication to access classified information, technical details stored on removable devices and the need for greater intrusion detection capabilities.
Cybersecurity is also only one of many problems with BMDS.
The report finds that security officers at various facilities did not always limit unauthorized access to physical BMDS details and documents. In addition, when inspecting five different facilities, the officials found that server racks were left unlocked and that the data center manager did not always have the keys.
The document notes:

The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks. Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.

To put into perspective what is at stake,
Ballistic Missile Defense System
is what the Defense Department calls a layered architecture that gives the Pentagon several different opportunities to destroy incoming missiles and nuclear warheads before they reach targets.
BMDS is made up of numerous sensors on the ground, at sea and in space for detecting a tracking ballistic missiles; interceptor missiles for destroying ballistic missiles; and management and communications network that links all the parts together.
With the scope of the BMDS in the background, it makes the lack of cybersecurity protections within these various facilities, as well as the responsibility of the Army and Navy for IT security, particularly unnerving.For example, the Inspector General found that even though the Defense Department required the use of multi-factor authentication, those working within BMDS used single-factor authentication, such as username and password, to access information instead of being required to have a Common Access Card (CAC) or an RSA token.
While it can take two weeks to obtain a CAC or RSA token, the report found 34 different incidents when someone continued to access data using only the single-factor method. One person was able to access information for more than seven years using the less secure single-factor method.
Additionally, the Inspector General found that software patches to protect against vulnerabilities were not always applied, including for flaws that were listed as high or critical.
The report offers a series of recommendations that would seem more tailored for a mid-level enterprise than one of the most complex weapons systems on Earth, but these guidelines can cutdown on several security holes within an facility, whether government or private.
These include:
Enforcing multi-factor authentication to access systems that process, store and transmit technical information or obtain a waiver directly from the CIO
Plan and patch software vulnerabilities when they become known to the IT staff
Encrypt technical information that is stored on removable media and devices
Close the gaps in physical security, including the use of security cameras to track personnel throughout the facility
Related posts:
Pentagon, Citing Security, Will Stop Selling Huawei, ZTE Smartphones
DHS: Millions of Smartphones Infected With Severe Embedded Vulnerabilities
ZTE Cleared to Return to Business After US Lifts Ban
Government Workers Believe Security Is Someone Elses Job
— Scott Ferguson is the managing editor of Light Reading and the editor of
Security Now
. Follow him on Twitter
@sferguson_LR
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
US Ballistic Missile Defense System Riddled With Security Flaws