This post is also available in: heעברית (Hebrew)

One of the U.S. most important asset is vulnerable to cyber attacks. The inadequate cybersecurity practices being used to protect the U.S ballistic missile defense systems (BMDS) were outlined by a Department of Defense Inspector General report.

Ballistic missile defense systems are used by the U.S.A. to counter short, medium, intermediate and long range ballistic missiles that target the U.S. As these systems are controlled by computers and software, they are at risk for being targeted by state-sponsored attacks that attempt to gain control of the systems, damage them, or steal classified information and source code.

BMDS facilities have failed to utilize required security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors, according to the report. In addition, the facilities did not perform routine assessments to make sure that these safeguards were in place.

In one facility, users were allowed to use single-factor authentication (only username + password) for up to 14 days during account creation. The report showed that in many cases, users would continue to use just a username and password for well past 14 days, according to bleepingcomputer.com.

At another facility, the domain administrator never bothered to configure policies that prevent users from logging in if they are not using multifactor authentication. Finally, one facility was using a system that does not even support multifactor authentication.

Vulnerabilities that would allow attackers to hack into the systems or facilities were also not properly patched and secured at numerous facilities.

Facilities were not encrypting data that was being stored on removable devices or using systems that kept track of what data was being copied. Some facilities stated that they did not know they even needed to encrypt data on removable devices.