You'd think that weapons capable of great destruction and, if misused, could even trigger a War Games-style game of thermonuclear war would be secured by some of the tightest security imaginable. But it turns out that while there's no secret backdoor using the password Joshua, the US' ballistic missiles aren't protected by security measures most would consider standard. So, we present you with five things you can do to be more secure than the US missile defence systems.
The US Department of Defence completed a security audit earlier this year and found a number of critical deficiencies. Here are some of the "highlights".
The audit revealed computers, servers and adjacent networks weren't regularly patched with bugs dating back to 1990 still around.
Lesson: If you want to do security better than the Department of Defence, keep your systems patched.
#2 Physical Security
When someone has physical access to your systems, you can almost be certain that given time and resources any logical security measures you have in place will be overcome. The auditors found that access to server racks was poorly controlled, there were an inadequate number of security cameras with many blind spots and a lack of control at doors with strangers allowed to enter without challenge.
Lesson: Pay attention to physical site and asset access if you're serious about security.
There's an old maxim in the security business; almost every attack starts at an endpoint. And the best way to hack an endpoint is to compromise a user's credentials.
The auditors found that two-factor authentication (2FA) was inconsistently used. A 2FA system was available but at three of the five sites that were inspected, the second factor wasn't used.
Lesson: Protect user accounts and use multi-factor, two factor or other methods that are safer than the old username and password.
Data moved between air-gapped systems using physical media was not encrypted according to the auditors. Given all the stories we hear about USB sticks and hard drives being lots or accidentally left behind at airports, you'd think those sorts of procedures would be ingrained into normal operations. But they're not.
Lesson: When you copy important data to external media, encrypt it.
#5 Intrusion Detection And Antivirus
Incredibly, one of the five sites audited didn't have any way of knowing if its systems had been breached as there was no antivirus or other detection tools installed. The official questioned by the auditors said they'd put in a request a year ago but that their bosses hadn't yet approved it.
Lesson: We're in the era where security is built around a strategy of "protect, detect and respond". If you can't protect and detect - you're screwed. Make sure you have some what of knowing if your systems have been breached, or that an unauthorised party is trying to access them, and keep that system up to date.