U.S. Ballistic Missile Sites Lacks Physical and Cyber Security
A DoD report “found that the U.S.' ballistic missile system lacked data encryption, antivirus programs and multifactor authentication methods. The report also found that some 28-year-old vulnerabilities remain unresolved.” WHAT?!!? 28 years! Here you thought your vulnerability management program was deficient!
The report is interesting because I remember being the Information Systems Security Officer and Associate Chief Security Officer for the FBI in Los Angeles and going through audits, there would be no way this would pass muster and we didn't have missiles on site! I can guess that the systems were old and outdated, maybe not even connected to the internet… maybe. However, one of the most troubling findings was that employees at the site just let the auditors walk around without asking for any type of credentials or secret handshakes. So even if the missile systems were old and offline, the gaps in physical security could allow someone access.
An overall security program needs to address cyber and physical security and the best programs marry both because they understand that threats in the cyber world can also be performed in the physical world!