After an audit of the US ballistic missiles systems, it has been revealed that the systems had no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities. The report [PDF] was put together earlier this year, in April, after US Department of Defense Inspector General officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) –a DOD program developed to protect US territories by launching ballistic missiles to intercept enemy nuclear rockets.
Javvad Malik, Security Advocate at AlienVault:
“The findings are indeed quite eye-opening, and there are things that could be done better. But it’s important to bear in mind that updating military systems, or indeed many custom built products isn’t as easy as downloading and installing a patch, where there are many unknown side effects. Also, most modern malware isn’t capable of running on hardware from 1990, therefore, patching the boxes would have little impact. Mikko Hypponen referred to this as, “security by antiquity”.
Finally, one has to consider how many of these systems are connected to the internet. In many cases they are not, which would require physical access – and to do so, they would have to contend with soldiers.”
Lamar Bailey, Director of Security Research and Development at Tripwire:
“While I agree at first glance this sounds horrible, the key word in the findings is “consistently”. Table 1 shows results for the facilities visited broken down into weaknesses in the 7 areas audited. Only one audit hit all 5 locations and this dealt with justification for access. Five of the weaknesses say they were not “consistently” used but this can apply to “administrative, facility, a lab or both” so they may not apply to the networks with the defense/offense controls. This audit was also only done at 5 facilities which is less than 5% of the facilities in operation. We should not take a chicken little stance here but remember basic security hygiene and foundational security controls apply to everyone.”