Wave Systems Corp. (fka WAVXQ)

[Genz2]

The American Military xxxxs at Cybersecurity

https://motherboard.vice.com/en_us/article/7xy5ky/the-american-military-sucks-at-cybersecurity

A new report from US military watchdogs outlines hundreds of cybersecurity vulnerabilities.

The Department of Defense is terrible at cybersecurity. That’s the assessment of the Pentagon's Inspector General (IG), who did a deep dive into the American military’s ability to keep its cyber shit on lockdown. The results aren’t great. “As of September 30, 2018, there were 266 open cybersecurity-related recommendations, dating as far back as 2008,” the Inspector General said in a new report.

The new report is a summary of the IG’s investigations into Pentagon cybersecurity over the previous year. It looked at 20 unclassified and four classified reports that detailed problems with cybersecurity and followed up to see if they’d been addressed. Previously, the IG had recommended the Pentagon take 159 different steps to improve security. It only took 19 of them.

Cybersecurity issues affected all branches of the military and ranged from the serious to the mundane. At a server site connected to America’s ballistic missile defense systems, inspectors “found an unlocked server rack despite a posted sign on the rack stating that the server door must remain locked at all times.”

According to the IT security officer on staff at the time, “network operations staff were troubleshooting issues with the server in the rack we found unlocked and failed to notify the [redacted] assistant security manager once they completed maintenance on the server so he could lock it.”

At the same site, officials also weren’t encrypting data transferred from computers via USB sticks and removable hard drives. “According to the security manager…[redacted] encrypted less than one percent of Controlled Unclassified Information stored on removable media.”

These bad security practices are taking place at the buildings running America’s missile defense systems. These are the people watching the skies and responsible for protecting US cities in the event of a nuclear attack from a foreign country, and they can’t be bothered to encrypt data or lock up their server racks.

If the military personnel is bad, then contractors are worse. Investigators dug into the cybersecurity practices of seven contractors working for the US Missile Defense Agency and found multiple vulnerabilities. “Of the seven contractors we analyzed, we found that [five] did not always or consistently use multifactor authentication to access unclassified networks that contained [ballistic missile defense systems] technical information,” the inspectors wrote.

The contractors also failed to run their own risk assessments, encrypt USB drives and hard drives, and use strong passwords. “System administrators for [five contractors] did not configure networks and systems containing [ballistic missile defense systems] technical information to lock user sessions after 15 minutes of inactivity,” investigators found. Meaning anyone logging into a computer full of classified missile defense data could leave it unattended for anyone else to access. The computer would never log itself out.

Bad passwords

America’s weapons systems also remain easy to hack with basic tools. An October report from the Government Accountability Office pointed out flaws in the Pentagon’s weapons systems that made them particularly vulnerable to cyberattacks. An IG follow up found that Air Force officials in particular still don’t “ensure that cybersecurity was integrated into weapon systems during design. Instead, weapon systems’ cybersecurity was addressed through a set of activities and products that were not fully integrated, creating overlaps and gaps in the program cybersecurity.” The Air Force still hasn’t bothered to change its default passwords on multiple weapon systems using store bought technology and the Air Force isn’t following its own cybersecurity protocols when designing and launching new weapons systems.

The Pentagon’s cybersecurity problems are bad enough to affect missile defense and fancy new weapons, but they’re also hurting regular soldiers. The IG pointed out that Army medical treatment facilities are cybersecurity nightmares where lax security procedures make patient medical records easily accessible.

According to Army regulations, passwords must be 15 characters long, contain an upper and lowercase letter, a number, and a symbol. At multiple medical facilities, investigators found that administrators bent the rules to allow for simpler passwords. “In each instance, the system administrators state that they did not properly configure passwords because they considered existing network authentication controls sufficient to control access to individual systems,” inspectors said.

Like the weapon systems and ballistic missile defense contractors, Army health records were very easy to hack, poorly password protected, and computer terminals weren’t programmed to auto logout users.

The problems between the various branches are remarkably similar, something that investigators noted in the new report. According to the Pentagon’s watchdog, cybersecurity failures are a leadership problem. No one at the top is holding everyone else accountable.

“The largest number of weaknesses identified in this year’s summary were related to governance,” the investigators explained. “Without proper governance, the [Pentagon] cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems.”
=================================================================
If only the PR below got more attention. Even though it has been a few years, Wave VSC 2.0 could put the military, contractors and the government on a better security path. imo.
==================================================================
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0

Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0

Lee, MA -

October 2, 2014 -

Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.

Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.

“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”

“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.

Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.

Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0

For more information about Wave Virtual Smart Card 2.0, visit: https://www.wave.com/products/wave-virtual-smart-card
==================================================================
https://www.wavesys.com/