US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds

An anonymous reader writes from a report via ZDNet:

No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.’ ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) — a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn’t used consistently. (2) One base didn’t even bother to configure its network to use multifactor authentication. (3) Patches weren’t applied consistently. (4) One base didn’t patch systems for flaws discovered in 1990. (5) Server racks weren’t locked. (6) Security cameras didn’t cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn’t challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn’t use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn’t keep a database of who had access to the system and why.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.