When IT professionals hear that criminals have hacked a company’s network via a trivial exploit, we wonder why the victim didn’t have basic security precautions in place. In most cases, businesses aren’t compromised through imaginative social engineering or ingenious and complex multi-layer attacks against hardened defenses. They’re compromised because they neglected to apply a patch to fix a vulnerability everyone has known about for months or because they forgot to password-protect a database, leaving sensitive information accessible to anyone who can use Shodan.
Why don’t companies apply basic security precautions? Partly because they’re not as basic as they might appear when a business is operating at scale and partly because a business’s incentives may not be appropriately aligned — security doesn’t make money or add compelling new features. Most of us would expect that the infrastructure underlying military technology vital to the nation’s defense would be immune to these effects. But, as a recent report from the US Department of Defense Inspector General reveals, even such critical infrastructure as the Ballistic Missile Defence System isn’t well protected.
The report determined that security precautions we’d hope to find on a WordPress site weren’t implemented by the Missile Defense Agency. It makes for worrying reading, but it’s interesting to anyone who manages server and network infrastructure, providing a useful guide to what can go wrong when security isn’t prioritized.
Improperly Executed Multi-Factor Authentication
The most surprising chink in the BMDS infrastructure is the lack of multi-factor authentication. It’s not that that the system isn’t set up for multi-factor authentication. It is. New workers are issued with password-protected accounts and access cards. However, most users never enabled multi-factor authentication for their accounts, and one site’s network hadn’t been configured to use it. Without multi-factor authentication, networks are at risk of compromise via phishing or network attacks.
Improperly Maintained Systems
I don’t imagine readers will be surprised by the next problem: unpatched vulnerabilities. According to the report, “Investigators found that systems were not patched for vulnerabilities discovered and fixed in 2016, 2013, and even going as far as back as 1990.” The Equifax data leak happened because the company failed to patch a web server for a vulnerability that had been discovered several months earlier. That’s bad, but failing to patch an almost thirty-year-old vulnerability in systems connected to ballistic missile defense infrastructure is on another level altogether.
The report also highlighted problems with physical security and access controls.
“facility security officers did not consistently implement physical security controls to limit unauthorized access to facilities that managed BMDS technical information.”
How to Protect Your Data
What would it take for a server-hosting customer to achieve better security than the Ballistic Missile Defence System? It’s easier than you might hope: host your servers in ServerMania’s secure data centers and take advantage of our managed services.
Servers hosted in a secure data center are protected from a plethora of physical and natural threats. All of our data centers provide round-the-clock security presence, CCTV surveillance and biometric access controls. These facilities are also located in areas that are not prone to natural disasters, and feature state of the art fire suppression and emergency power generators.
ServerMania’s Empowered managed service tier includes proactive security patching, weekly security scans, and port monitoring. All modern content management systems and eCommerce applications can take advantage of multi-factor authentication.
If you want to be more secure than the Ballistic Missile Defence System, choose a server hosting provider who cares about the security of your servers and the privacy of your data.