Testing has revealed outdated software, unnecessary network services and weak passwords are putting US defense systems at risk to cyber attacks.
In a lengthy report Michael Gilmore, director of operation and test evaluation for the US Department of Defense, said “cyber operational forces portraying adversaries with beginner or intermediate cyber capabilities were able to demonstrate that many DOD missions are currently at risk from cyber adversaries.”
Gilmore said defenses against cyber attack have improved thanks to “local defenders” and service providers, as well as improved policies to install software patches on time, but assessments in conjunction with Combatant Command and Service exercises found at least one mission during each exercise was at “high risk to cyber attack from beginner to intermediate cyber adversaries.”
“During 2014, cybersecurity testing of more than 40 systems showed improvements must occur to assure secure and resilient cyber capabilities,” wrote Gilmore, who concluded that fundamental vulnerabilities continue to exist. “These vulnerabilities commonly include unnecessary network services or system functions, as well as misconfigured, unpatched or outdated software, and weak passwords.”
Interestingly, Gilmore cited network access as a challenge to assessing true weaknesses. He reported that testers were given access to more operational networks in 2014 than during previous years but disruptive activities such as denial-of-service attacks could not be tried. Therefore the realism of the assessments may be skewed.
“With realistic cyber effects, the training audience may have a false sense of security that their missions were not subject to degradation, and the operators and networks defenders miss the opportunity to detect and respond to realistic cyber attacks,” Gilmore said.
Going forward Gilmore recommends continued training on “fight-through” techniques during cyber attacks. While some techniques in practice were able to fend off some attempts to breach networks, Gilmore said the determinations of some attackers could “acquire a foothold in most DOD networks.”