[ISN] Report: Gaps persist in TSA network security

From: InfoSec News (isn@private)
Date: Wed Sep 14 2005 - 01:28:36 PDT


http://www.washingtontechnology.com/news/1_1/daily_news/26983-1.html

By Alice Lipowicz
Staff Writer
09/13/05

The Transportation Security Administration has improved its network
security, but the agency still cannot ensure that critical computer
network operations and data are protected from hackers and can be
restored following an emergency, according to a new report [1] from
the Homeland Security Department's Office of the Inspector General.

The TSA falls short in developing and implementing processes such as 
security testing, monitoring with audit trails, configuration and 
patch management, and password protection, the report said. Also, 
contingency plans have not been made final nor tested. 

"TSA has taken actions and made progress in securing its networks," 
states the redacted version of the report. "However, TSA can make 
further improvements to secure its networks." 

Computer networks are vital to homeland security for sharing 
information among government agencies. But they also contain sensitive 
data that must be protected from unauthorized access and manipulation 
from hackers and cyberterrorists. 

The TSA, which oversees passenger and baggage screening and other 
security procedures at the nation's airports, shares information with 
airports through a wide area network. But it lacks a comprehensive 
security testing program to insure the integrity of that network, the 
report said. 

While some vulnerability scans are performed monthly, TSA does not 
conduct "penetration testing" and "password analysis," and does not 
test all devices connected to the network as recommended, the report 
said. 

"Security vulnerabilities continue to exist because TSA has not 
implemented a comprehensive testing program to identify obsolete 
software versions or applicable patches on its network devices," the 
inspector general wrote. The report recommended testing to include 
"periodic network scanning, vulnerability scanning, penetration 
testing, password analysis and war driving." 

TSA officials agreed with the advice, according to the report. 

TSA has strengthened security configurations on its servers and 
workstations in comparison to what was found in a previous audit, the 
report said. However, the agency still needs to make improvements 
including detailed configuration procedures, development of a patch 
management policy, implementing a strong password policy and secure 
configuration of routers. 

The audit found a list of accounts on two TSA workstations that could 
be accessed without identification and authentication, a vulnerability 
which could be exploited by a hacker. 

On patch management, the audit discovered that TSA relies on the patch 
management procedures developed by the contractor responsible for 
network management, and it recommended that the agency develop its own 
documented policy. 

The inspector general scolded TSA for allowing multiple users to share 
passwords for several administrative accounts, and it also pointed out 
that TSA's draft password policy does not comply with the Homeland 
Security Department's requirements for strong passwords.

[1] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-31_Aug05.pdf



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org 



This archive was generated by hypermail 2.1.3 : Wed Sep 14 2005 - 01:38:40 PDT