US Ballistic Missile Agency Fails Security Audit

We’ve spoken before about how difficult it is to secure important information at the level of individual US states. What about the U.S. military? Over the last few years, the U.S. military has scrambled to emplace countermeasures against state-level actors with advanced cybersecurity capabilities. Their scorecard, however, is pretty bleak.

• The F-35 fighter jet may be vulnerable to basic hacking tools

• Chinese attackers stole personal data from over 100K US Navy personnel

• A script kiddie accidentally stole top-secret USAF data and sold it on the darknet for $150 USD

Now, it turns out that United States ballistic missile defense systems (BMDS) may also be vulnerable to many basic attacks. This is kind of alarming, as these are the systems responsible for protecting the United States from conventional and nuclear attacks via short- medium- and long-range ballistic missiles. An inspector general’s report, following up on a review ordered in 2014, shows that ballistic missile defense agencies have a long way to go before they become secure.

No Two-Factor Authentication

While we spent the entirety of 2018 debating whether two-factor authentication was still secure (answer: not unless you turn off SMS-based authentication), ballistic missile defense systems were on a whole other level. In theory, their systems allowed users to use single-factor authentication – just a username and password – for a whole 14 days after creating an account. In practice, users were able to keep using single-factor authentication for months.

Conditions were worse at other facilities. For example, it’s possible with some systems to prevent users from logging in if they don’t use 2FA – but some administrators with those capabilities simply failed to use them. At other facilities, systems were so outdated that they couldn’t use 2FA to begin with.

Faulty Encryption

DOD standards require that all data stored on removable drives must be kept in an encrypted format. This is a sensible precaution – you don’t want to lose state secrets if you forget a thumb drive in your hotel room, for example. Unfortunately, many BMDS facilities weren’t taking this precaution. What’s more? Many facilities did not even keep track of which data was being copied onto removable drives in the first place.

Incomplete Scans

Over the last few months, we’ve been talking about the importance of red team tests and vulnerability scans, but it looks like BMDS facilities didn’t get the memo. Some vulnerability scans were left unfinished. Other scans discovered vulnerabilities that were left unpatched. In the most egregious case, a vulnerability discovered in 2013 was still unpatched as of 2018.

Recognize These Problems? Apply a Quick Fix with Safe-T

A sprawling bureaucracy with legacy hardware and incompletely-applied standards – does this sound familiar? If so, you’re in luck. Safe-T can help solve your problems.

Safe-T makes it easy for administrators to configure security in a holistic manner – one controller making the rules for multiple departments with a single click. We natively support both 2FA and multi-factor authentication, with automation controls that make it impossible to forget. Similarly, our automated encryption policies make it possible to encrypt any data that’s moved onto an external drive, or even prevent that data from being moved entirely.

With Safe-T, users can rapidly modernize their security infrastructure without purchasing expensive replacements. Our system of connectors makes it possible to bring all of your security apparatus into a single workflow. That means complicated and siloes departments can be unified at a stroke. Want to learn more? Contact Safe-T today!