Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/18/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

US Ballistic Missile Defense System Riddled With Security Flaws

An Inspector General's report concerning the Defense Department's Ballistic Missile Defense System found numerous security flaws, including a lack of multi-factor authentication and classified information stored on removable drives.

A report by the Defense Department's Inspector General found that the US Ballistic Missile Defense System is riddled with security problems, which include both cybersecurity issues, as well as a host of physical security issues.

The report, "Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information," was published December 10 and released this week in a public document that includes numerous redactions to shield classified information.

This report stems from testimony that the Director of the Missile Defense Agency (MDA) gave to Congress in 2016, expressing concern about access to technical information about the Ballistic Missile Defense System (BMDS).

In turn, following a two-year investigation, the Inspector General issued two reports about security within BMDS facilities -- the one released this week and an earlier document published in March.

The report also follows an examination by the US Government Accountability Office that found that Pentagon's most advanced weapons systems were vulnerable to cyber attacks. (See GAO: Pentagon's New Weapons Systems Vulnerable to Cyber Attacks.)

This new report paints a disturbing picture of cybersecurity practices with the Pentagon's complex BMDS, including a lack of two-factor authentication to access classified information, technical details stored on removable devices and the need for greater intrusion detection capabilities.

Cybersecurity is also only one of many problems with BMDS.

The report finds that security officers at various facilities did not always limit unauthorized access to physical BMDS details and documents. In addition, when inspecting five different facilities, the officials found that server racks were left unlocked and that the data center manager did not always have the keys.

The document notes:

The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks. Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.

To put into perspective what is at stake, Ballistic Missile Defense System is what the Defense Department calls a "layered" architecture that gives the Pentagon several different opportunities to destroy incoming missiles and nuclear warheads before they reach targets.

BMDS is made up of numerous sensors on the ground, at sea and in space for detecting a tracking ballistic missiles; interceptor missiles for destroying ballistic missiles; and management and communications network that links all the parts together.

With the scope of the BMDS in the background, it makes the lack of cybersecurity protections within these various facilities, as well as the responsibility of the Army and Navy for IT security, particularly unnerving.For example, the Inspector General found that even though the Defense Department required the use of multi-factor authentication, those working within BMDS used single-factor authentication, such as username and password, to access information instead of being required to have a Common Access Card (CAC) or an RSA token.

While it can take two weeks to obtain a CAC or RSA token, the report found 34 different incidents when someone continued to access data using only the single-factor method. One person was able to access information for more than seven years using the less secure single-factor method.

Additionally, the Inspector General found that software patches to protect against vulnerabilities were not always applied, including for flaws that were listed as high or critical.

The report offers a series of recommendations that would seem more tailored for a mid-level enterprise than one of the most complex weapons systems on Earth, but these guidelines can cutdown on several security holes within an facility, whether government or private.

These include:

  • Enforcing multi-factor authentication to access systems that process, store and transmit technical information or obtain a waiver directly from the CIO
  • Plan and patch software vulnerabilities when they become known to the IT staff
  • Encrypt technical information that is stored on removable media and devices
  • Close the gaps in physical security, including the use of security cameras to track personnel throughout the facility

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.