Wave Systems Corp. (fka WAVXQ)

[Genz2]

U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit

https://www.bleepingcomputer.com/news/security/us-ballistic-missile-defense-systems-fail-cybersecurity-audit/

A U.S. Department of Defense Inspector General report released this week outlines the inadequate cybersecurity practices being used to protect the United States' ballistic missile defense systems (BMDS ).

Ballistic missile defense systems are used by the U.S.A. to counter short, medium, intermediate and long range ballistic missiles that target the United States of America. As these systems are controlled by computers and software, they are at risk for being targeted by state-sponsored attacks that attempt to gain control of the systems, damage them, or steal classified information & source code.

On March 14, 2014, the DoD Chief Information Officer stated that the DoD must implement National Institute of Standards and Technology (NIST) security controls to protect their systems, which includes BMDS.

In a heavily redacted report by the DoD, it has been shown that BMDS facilities have failed to utilize required security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors, and did not perform routine assessments to make sure that these safeguards were in place.

In one facility, users were allowed to use single-factor authentication (only username + password) for up to 14 days during account creation. The report showed that in many cases, users would continue to use just a username and password for well past 14 days. At another facility, the domain administrator never bothered to configure policies that prevent users from logging in if they are not using multifactor authentication. Finally, one facility was using a system that does not even support multifactor authentication.

Vulnerabilities were also not properly patched and secured at numerous facilities. For example, a March 2018 scan of vulnerabilities at one facility showed that vulnerabilities found in a Janaury 2018 scan were never fixed. Other facilities contained vulnerabilities that were discovered in 2013 and had not been patched when they had conducted an April 2018 vulnerability assessment.

The reports also states that facilities were not encrypting data that was being stored on removable devices or using systems that kept track of what data was being copied. Some facilities stated that they did not know they even needed to encrypt data on removable devices.

"In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption," stated the DoD report. "Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted]."

In addition to computer and data security issues, there were physical security issues as well. There were instances of server racks not being locked, for four years a door was reporting that it was closed when in fact it was open, people gained unauthorized access simply by pulling open doors, and security cameras were not always installed at required locations.

The recommendations by the DoD Inspector General's office is what you would expect. Fix these problems and follow required federal requirements. Unfortunately, Chief Information Officers from various facilities did not respond to the draft report and the Inspector General's office has now asked the Director, Commanding General, Commander, and Chief Information Officers to comment on the final report by January 8, 2019.
==================================================================
If Wave VSC 2.0 has proven itself already with a 'significant security requirements' of government (see article below) shouldn't it be used for many other areas of government?!?! BS, SKS, GK, and MW and others could bring the protection of Wave VSC 2.0 to the government as it could be very beneficial to them. This article just shows glaringly what is at stake without a product like Wave VSC 2.0. imo. Wave VSC 2.0 - Better security at less than half the cost.
==================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0

https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0

Lee, MA -

October 2, 2014 -

Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.

Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.

“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”

“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.

Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.

Wave Virtual Smart Card 2.0 gives IT the ability to:

• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management