No data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the US' ballistic missile system released on Friday by the US Department of Defense Inspector General (DOD IG).
The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) --a DOD program developed to protect US territories by launching ballistic missiles to intercept enemy nuclear rockets.
But this recent security audit has concluded that "the Army, Navy, and MDA did not protect networks and systems that process, store, and transmit BMDS technical information ."
Multifactor authentication was not consistently used
Auditors found several problematic areas. The biggest of these was in relation to multifactor authentication.
Under normal circumstances, any new MDA employee would receive a username and password that they can use to access BMDS' network. As new employees are eased into their new jobs, they'd also receive a common access card (CAC) that they'd have to enable for their accounts and use together with their password, as a second-factor authentication. Normal procedure says that all new MDA workers must use multifactor authentication within two weeks of being hired.
But the DOD IG report says that at three of the five inspected locations, investigators found that many users did not enable multifactor authentication for their accounts, and were still using their username and password to access BMDS' network.
One user had accessed BMDS data for seven years without the protection provided by their card, and at one MDA site, investigators said they also found that the network was never configured to support multifactor authentication at all.
The lack of a multifactor authentication means that employees are vulnerable to phishing attacks that could collect their passwords and allow attackers remote or on-premise access to BMDS systems without further security challenges (second authentication factor).
Vulnerabilities were not consistently patched
However, the report found even more worrisome problems. DOD IG inspectors found that IT administrators at three of the five locations they visited had failed to apply security patches, leaving computers and adjacent network systems vulnerable to remote or local attacks.
Investigators found that systems were not patched for vulnerabilities discovered and fixed in 2016, 2013, and even going as far as back as 1990.
The DOD IG report is heavily redacted in this particular section, suggesting that MDA administrators are still patching these flaws.
Server racks not secured
Aside from software flaws, investigators also found physical security issues. For example, at two locations investigators found that server racks unlocked and easily accessible.
Any attacker, guest, or visitors who gained access or was invited to one of these locations could have easily plugged in a malicious device in one of these server racks.
Confronted with the unlocked racks, one of the data center managers said he wasn't aware of this security protocol, and even played down its importance by saying that the base limited who could access the data center anyway.
In the second location, the server rack was unlocked even if the rack featured a sign stating that the server door must remain locked at all times.
Removable media data was not encrypted
Another report finding was that MDA officials did not consistently use encryption when moving data between air-gapped systems using removable media.
MDA officials blamed this on "legacy systems that lacked the capability and bandwidth to encrypt data, did not have the resources to purchase encryption software, and used encryption software that did not always align with DoD encryption software."
This issue was discovered at three locations. At one, officials said they weren't even aware that they were supposed to encrypt data stored on removable media, while another official said they didn't even have the controls and systems in place to detect when an employee was downloading data to removable media, let alone see if the data was unencrypted.
No intrusion detection system
DOD IG officials also discovered that at one MDA location, IT administrators failed to install an intrusion detection and prevention system --also known as an antivirus or security product.
"Without intrusion detection and prevention capabilities, [REDACTED] cannot detect malicious attempts to access its networks and prevent cyberattacks designed to obtain unauthorized access and exfiltrate sensitive BMDS technical information from occurring," the report said.
Local MDA officials at that location blamed the issue on their supervisors, who, they said, failed to approve a request for the proper software, which they filed almost a year before.
No database with written justifications
But besides physical and cyber-security-related issues, there was also a logistics and management related slip-up. According to the report, all the five locations DOD IG officials visited failed to maintain a database of written justifications of why employees received access to the BMDS network.
Without this database, officials didn't know the exact reason why employees needed access to the system, and couldn't enforce a "least privilege" access hierarchy.
DOD IG investigators said that in a random test, they selected a small sample of employees from each BMDS location and asked to see their access forms. In all cases, access justification forms weren't complete, and in some, administrators couldn't provide forms for some employees at all.
Woeful physical security controls
But more disheartening was the report's findings on the physical security controls implemented at several of these MDA bases.
Auditors said that in many cases surveillance cameras failed to cover the entire base, creating gaps that an attacker could exploit to enter the groundwork and buildings.
Furthermore, there were also issues with door sensors that showed doors as closed, when they were not, and with some facilities that didn't lock doors.
Last but not least, MDA personnel didn't challenge auditors who entered buildings without proper badges, allowing unauthorized personnel to wander around through top secret buildings.
The MDA currently has 104 ballistic missile locations and plans to build another 10. But if it doesn't improve both its physical and cyber-security protections, these bases could be easily attacked in case of a conflict. The DOD IG report made a set of recommendations that top officials and the rest of the MDA bases are now supposed to review and implement.
In October, the US Government Accountability Office (GAO) found that new next-gen computerized weapons systems that are currently under development at the Pentagon also featured similar cyber-security-related problems and were easy to hack.