To protect yourself against cyberattacks, we always remind you to take basic cybersecurity precautions to make your systems more secure.
Two-factor authentication, data encryption, up-to-date security patches, good anti-virus software and robust physical security are just a few of the common practices you can do to prevent your home network from being hacked.
But what if the systems that are responsible for our national security lack even these most basic cybersecurity protections? Read on and this latest official report might shock you!
The state of our Ballistic Missile Defense System’s cybersecurity
A security audit of the U.S. Ballistic Missile Defense System (BMDS) recently released by the U.S. Department of Defense Inspector General (DOD IG) has exposed the poor cybersecurity practices employed to protect these critical networks.
The report was assembled in April after the officials from the DOD Inspector General inspected five random locations where ballistic missiles were placed by the Missile Defense Agency (MDA) to intercept enemy nuclear rockets in case of attack.
You would think that a system that protects the entire nation from annihilation will be exceptionally secure, but sadly, the audit concluded that “the Army, Navy, and MDA did not protect networks and systems that process, store, and transmit BMDS technical information.”
1. Multifactor authentication is not strictly enforced
According to the report, although an MDA employee is required to use multifactor authentication within two weeks of being hired, three of the five inspected locations still had many users who have not enabled it.
Even worse, one location was found to have never set up to support multifactor authentication at all.
This means these systems are extremely vulnerable to phishing attacks that harvest username and passwords. With these credentials, an attacker can then remotely log in to these systems with ease.
Note: Also known as two-factor authentication, multifactor authentication requires you to authenticate your identity with not only your username and password but with another piece of information like a code sent via text message or via an authenticator app.
2. Security patches are not consistently applied
We constantly remind you to apply software security patches to as soon you can to plug any vulnerabilities and system flaws that hackers can exploit.
Unfortunately, the report revealed that the system administrators at three of the five locations have failed to apply the security patches needed to protect their networks, leaving them vulnerable to malware and remote hacking.
The inspectors found systems that were not patched for vulnerabilities found and fixed in 2016, 2013, and even one that was secured in 1990!
3. No data encryption on removable media
The report also revealed that MDA officials did not consistently employ encryption when moving data between “air-gapped” systems using removable media like USB flash drives and storage.
Note: Air-gapped systems are computers and servers that are totally disconnected from the network for protection.
Again, this issue was discovered at three locations. In one location, the MDA officials admitted that they weren’t aware that they were required to encrypt data on removable drives. Even worse, one official even said that they didn’t have the means to detect when an employee was downloading data to removable media. Yikes!
4. No security software installed
Now, here’s where our tax dollars are NOT at work. The report has outed one location where their IT department has not installed security software like antivirus products and intrusion detection systems.
You know why this is important, right? Without these systems in place, these locations cannot detect and preempt malicious intrusions and cyberattacks.
The MDA officials in one location had an excuse, though. They said that they have requested for the proper security software last year but their supervisors have failed to approve the purchase.
5. No database for employee access
Another glaring weakness is the lack of a management database that shows written justifications of why employees were approved to access to the BMDS network.
This is important for any company network since it provides a trail and a hierarchy structure for employee privileges.
In some cases, the investigators said that the justifications weren’t completed while other locations don’t have network access forms at all.
6. Poor physical security systems
Everyone knows how physical security is likewise important for computer systems, right? Even with stringent software security systems in place, a physical attacker can do enough damage to disable any network.
Unfortunately, the report said that the physical security of some of the missile locations is sorely lacking.
In some locations, surveillance cameras were not monitoring the entire base, leaving blind spots where a physical attacker can slip through.
Also spotted were malfunctioning door sensors that reported open doors as locked. At two locations, the investigators even found unsecured server racks that lack any sort of physical locks, allowing an attacker to easily plug in a malicious removable drive.
And even worse, security didn’t bother to check the auditors who roamed the buildings without authorized badges. This means they can potentially let a bad actor slip through and infiltrate confidential areas.
This report is definitely an eye-opener concerning the state of our critical infrastructure, The Missile Defense Agency has 104 ballistic missile defense locations and it is planning on building 10 more. However, without adequate physical and software security protections in place, these could be liabilities in case war breaks out.
To address these issues, the DOD IG report includes recommendations that all the MDA bases should now review and apply. Click here to read the recommendations.