Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/18/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

US Ballistic Missile Defense System Riddled With Security Flaws

An Inspector General's report concerning the Defense Department's Ballistic Missile Defense System found numerous security flaws, including a lack of multi-factor authentication and classified information stored on removable drives.

A report by the Defense Department's Inspector General found that the US Ballistic Missile Defense System is riddled with security problems, which include both cybersecurity issues, as well as a host of physical security issues.

The report, "Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information," was published December 10 and released this week in a public document that includes numerous redactions to shield classified information.

This report stems from testimony that the Director of the Missile Defense Agency (MDA) gave to Congress in 2016, expressing concern about access to technical information about the Ballistic Missile Defense System (BMDS).

In turn, following a two-year investigation, the Inspector General issued two reports about security within BMDS facilities -- the one released this week and an earlier document published in March.

The report also follows an examination by the US Government Accountability Office that found that Pentagon's most advanced weapons systems were vulnerable to cyber attacks. (See GAO: Pentagon's New Weapons Systems Vulnerable to Cyber Attacks.)

This new report paints a disturbing picture of cybersecurity practices with the Pentagon's complex BMDS, including a lack of two-factor authentication to access classified information, technical details stored on removable devices and the need for greater intrusion detection capabilities.

Cybersecurity is also only one of many problems with BMDS.

The report finds that security officers at various facilities did not always limit unauthorized access to physical BMDS details and documents. In addition, when inspecting five different facilities, the officials found that server racks were left unlocked and that the data center manager did not always have the keys.

The document notes:

The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks. Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.

To put into perspective what is at stake, Ballistic Missile Defense System is what the Defense Department calls a "layered" architecture that gives the Pentagon several different opportunities to destroy incoming missiles and nuclear warheads before they reach targets.

BMDS is made up of numerous sensors on the ground, at sea and in space for detecting a tracking ballistic missiles; interceptor missiles for destroying ballistic missiles; and management and communications network that links all the parts together.

With the scope of the BMDS in the background, it makes the lack of cybersecurity protections within these various facilities, as well as the responsibility of the Army and Navy for IT security, particularly unnerving.For example, the Inspector General found that even though the Defense Department required the use of multi-factor authentication, those working within BMDS used single-factor authentication, such as username and password, to access information instead of being required to have a Common Access Card (CAC) or an RSA token.

While it can take two weeks to obtain a CAC or RSA token, the report found 34 different incidents when someone continued to access data using only the single-factor method. One person was able to access information for more than seven years using the less secure single-factor method.

Additionally, the Inspector General found that software patches to protect against vulnerabilities were not always applied, including for flaws that were listed as high or critical.

The report offers a series of recommendations that would seem more tailored for a mid-level enterprise than one of the most complex weapons systems on Earth, but these guidelines can cutdown on several security holes within an facility, whether government or private.

These include:

  • Enforcing multi-factor authentication to access systems that process, store and transmit technical information or obtain a waiver directly from the CIO
  • Plan and patch software vulnerabilities when they become known to the IT staff
  • Encrypt technical information that is stored on removable media and devices
  • Close the gaps in physical security, including the use of security cameras to track personnel throughout the facility

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...