The US Pentagon Has Numerous Security Gaps

The Pentagon has 266 cyber security exposures and vulnerabilities that have not been attended to or secured in recent years. These significant problems in the Pentagon’s IT electronic systems have put the Pentagon at risk of hacks and data theft.

The Defense Department published the report on January 9th and it reveals thet a number of these issues have been a problem for a least 10 years.

However, the Defence Dept.’s IT Auditors also found that other areas of the IT systems had been security and penetration tested and were working very well.

But for more than a decade old, there remains unaddressed IT issues that should have been addresses in the Defense Department’s networks, according to the Defence Department’s Internal ombudsmen. These 266 cyber insecurities had already been highlighted in a number of reports between July 2017 and June 2018 and some of these IT problems go back over a decade to 2008. 

The Auditors said that a lot of the problems are because the IT and cyber monitoring and management policies were not very effective. 

The unclassified reports identified improvements in the asset management, information protection processes and procedures, identity management and access control, and security continuous monitoring. The DoD has taken action to strengthen its cybersecurity posture by implementing actions to address 19 of the 159 recommendations made in those reports. In particular, the DoD needs to continue focusing on managing cybersecurity risks related to governance, asset management, information protection processes and procedures, identity management and access control, security continuous monitoring, detection processes, and communications. 

The largest number of weaknesses identified in this year’s summary were related to governance, which allows an organisation to inform its management of cybersecurity risk through the policies, procedures, and processes to manage and monitor the organizations regulatory, legal, risk, environmental, and operational requirements.

Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems.”

The auditors explain that a series of issues have been ignored and have not been tackled over the previous years. The department, has not done enough to comply with the cybersecurity framework developed by the National Institute of Standards and Technology. The Defense Contract Management Agency has not properly trained its cyber specialists so that they receive the required certifications.

“Without adequate controls … the department cannot ensure that all of its systems, devices, personnel, and vulnerabilities are identified and manages,” auditors wrote.

The Defence Department is now begun work to upgrade all IT systems so as to assist the Agency when it needs to address cyber threats and attacks. This not a subject that only effects the US Department of Defence and if other governments did an independent audit of their IT systems they would also fine significant issues that have not been addressed. 

News By CSI:

You Might Also Read:

Pentagon Weapons Systems Vulnerable To Cyber-Attacks:

« New British Cyber Security Centre
What Financial Services Executives Need to Know About Data-Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Juniper Networks

Juniper Networks

Juniper Networks is the industry leader in network innovation. We provide network infrastructure and network security solutions.

Netsparker

Netsparker

Netsparker provide a web application security scanner to automatically find security flaws in your websites, web applications and web services.

CyberSmart

CyberSmart

CyberSmart is a platform that allows you to maintain compliance, achieve certification and secure your organisation.

Hysolate

Hysolate

Hysolate has transformed the endpoint, making it the secure and productive environment it was meant to be.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

Fischer Identity

Fischer Identity

Fischer Identity provide identity & access management and identity governance administration solutions.

CyBOK - University of Bristol

CyBOK - University of Bristol

CyBOK is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference is a non-profit, annual, information security conference located in Halifax, Nova Scotia, Canada.

Concordium

Concordium

Concordium aims to build the world’s leading open-source, permissionless, and decentralized blockchain with built-in user identity at the protocol level.

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

SECFORCE

SECFORCE

SECFORCE is a leading information security consultancy specialising in bespoke penetration testing and red team engagements.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Trisul Network Analytics

Trisul Network Analytics

Trisul helps organizations deploy full spectrum deep network monitoring which can serve as a single source of truth for performance monitoring, security analytics, threat detection and compliance.

Oort

Oort

Oort is an identity threat detection and response platform for enterprise security. The Oort platform is API-driven, cloud-native and agentless for rapid time to value and high scalability.

OxCyber

OxCyber

OxCyber's mission is to ignite and encourage cybersecurity and technology growth in the Thames Valley through meetings, webinars, in person events, workshops and mentorship programs.