An annual report released by the Pentagon's chief weapons tester indicates that a majority of the government's weapons programs contain “significant vulnerabilities.” Many of the bugs stem from outdated and unpatched software.
Red Teams portraying a Cyber OPFOR successfully accessed target networks primarily through vulnerable web services and social engineering (phishing). Red Teams routinely expanded access across networks using stolen credentials. The asymmetric nature of cyber operations allows even a single default or weak password to lead to rapid access and exploitation of the network. This is particularly true when the password belongs to an individual with elevated privileges. FY14 assessments revealed numerous violations of DOD password security policies, which indicates the policies are either too difficult to implement, too hard to enforce, or both. The generally poor defensive performance against dedicated attacks by Red Teams shows that a network is only as secure as its weakest link. Unless compliance levels approach 100 percent, it is likely a dedicated cyber adversary will succeed in accessing a network.
No comments:
Post a Comment
For comments please e-mail paul@strassmann.com