FAA's Web Security Audit: 3,857 Vulnerabilities - Page 2
Share this Article
Digg
Del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeed
Page 2 of 2
Other easily avoidable errors noted in the report included using the word "PASSWORD" as the password to some applications and failing to patch even critical vulnerabilities in a timely manner.
More complex vulnerabilities could be exploited by internal FAA users, who include not only employees but also contractors and industry partners, the report said.
Attackers could use these vulnerabilities to inject malicious code on FAA users' computers, the report added, noting this is exactly what happened in February, 2009.
The report also identified organizational issues that affect security. The Department of Transportation's (DOT) Cyber Security Management Center (CSMC) monitored incidents at the facility level and a contractor monitored security on the network. The CSMC was not communicating well with the FAA's Air Traffic Organization (ATO).
"According to CSMC and ATO management officials, effective IDS deployment requires close cooperation between CSMC and ATO. However, this cooperation has been lacking," the report said.
Finally, there were network design issues. The report distinguished between the ATC systems, which are supposed to be highly secure, and other parts of the FAA's network that are less secure. Both authorized and unauthorized network connections have made critical parts of the network less secure.
Top five recommendations
The report concluded with five recommendations, all of which Ramesh K. Punwani, the FAA's CFO, agreed to on April 16th. The report recommended that applications adhere to government security standards, that the FAA fix its patch management process, that it correct all high risk issues immediately and also establish a process to fix the medium risk and low risk vulnerabilities, and that it establish better communications with the DOT CSMC.
"While FAA believes that the relationship with CSMC is essentially sound, within 30 days, the Chief Information Officer (CIO) along with the CIO for ATO will meet with the CSMC leadership to discuss strengths and weaknesses of interactions between their organizations and identify any areas in need of improvement," Punwani wrote to the auditors in a note attached to the report.
He added that the FAA will establish SLAs (Service Level Agreements) with all FAA lines of business and will define a cyber incident remediation process by August, 2009.
Brian Barner, principle at ValueBridge Advisors and an ISACA volunteer leader, said that companies that implement best practices do better in audits and in self-assessments.
