[ISN] Report: U.S. DOT needs to improve IT security

From: InfoSec News (isn@private)
Date: Wed Oct 19 2005 - 00:02:57 PDT


http://www.computerworld.com/securitytopics/security/story/0,10801,105530,00.html

By Linda Rosencrance 
OCTOBER 18, 2005 
COMPUTERWORLD

During a recent audit of the U.S.  Department of Transportation's IT
systems, the agency's inspector general was able to take control of a
vulnerable server and gain access to sensitive information -- a
security lapse that he said could put a number of department systems
at risk.

It was one of the findings by DOT Inspector General Kenneth Mead, who
uncovered about 3,000 weaknesses in the department's IT systems --
including previously reported vulnerabilities that were never fixed,
according to the report (download PDF) [1].

The DOT oversees 10 agencies, including the Federal Railroad
Administration (FRA) and the Federal Aviation Administration (FAA). It
was an FRA server that the inspector general was able to take over.

"These weaknesses enabled us to gain total [root-level access] control
over a critical file server, desktop computers and a network switch,"  
according to Mead's report. "From these computers, we accessed
sensitive information that enabled us to gain unauthorized entry from
the Internet and obtain sensitive information."

Because of interconnectivity among all DOT networks, the security
lapse put other departmental systems at risk, the report said.

The inspector general also noted that the FRA hasn't fully deployed an
intrusion-detection system, despite years of effort, meaning the DOT
can't effectively protect its computers, according to the report.

Mead also noted that the DOT failed to install software patches on a
timely basis, allowing 700 departmental computers to be infected with
the recent Zotob worm. The worm was introduced to the DOT's network by
a contract employee who connected his laptop to the agency's network
in violation of department policy, he said.

"DOT needs to develop a mechanism to ensure that all computers used by
telecommuting employees are periodically checked for vulnerabilities
and patched with the latest security upgrades," according to the
report.

Although the report said that FRA officials are working to eliminate
critical vulnerabilities, other agencies have been slow to act. "For
example, one of the pending actions is to enhance password security
protection in [an FAA] system that contains privacy information," Mead
said. "This inexpensive fix would significantly reduce the risk of
unauthorized access."

According to the report, the Mead notified DOT officials in 2004 that
the FAA needed to improve its IT system security. But the aviation
agency didn't start making improvements until this past April.

Mead is now working on two new reports on security problems in the FAA
system for maintaining air traffic control surveillance, navigation
and communications equipment. According to the inspector general, the
FAA failed to address earlier air traffic control systems security
recommendations.

For example, the FAA collected system security information on only
about half of the systems used to support high-altitude air traffic
services, meaning other critical systems were not reviewed. Because it
has not yet analyzed the information it collected, it hasn't
determined what needs to be done to correct any problems. FAA
officials also haven't performed independent testing on-site of its
high risk systems, something that's required by law, according to the
report.

In addition to addressing specific vulnerabilities, the DOT also needs
to provide more oversight of its IT investments at the FAA, the report
said.

"We reviewed 16 FAA major acquisitions and found that nine projects
had experienced schedule delays of two to 12 years and 11 projects had
experienced cost growth of about $5.6 billion (from $8.9 billion to
$14.5 billion)," Mead said, adding that air traffic control
modernization projects still face performance problems, cost increases
and schedule delays.

According to the inspector general, the DOT's CIO received a draft of
the report, agreed with Mead's findings and recommendations, and plans
to provide written comments describing exactly what the DOT is doing
to correct the problems.

"We have reviewed the report, and we will provide the [inspector
general] with a response shortly," DOT spokesman Bill Mosley.

[1] http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/DOT_FISMA.pdf



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Wed Oct 19 2005 - 00:22:34 PDT