RealTime IT News

FAA's Web Security Audit: 3,857 Vulnerabilities

Just how secure are the government's IT systems? You'd think that at the very least, critical systems would be protected and invulnerable, but you'd be wrong.

On the heels of news that the DoD had been penetrated and the electrical grid suffered a breach comes news that our air traffic control systems have been attacked numerous times and are poorly defended.

A security audit of the Web applications used in the Federal Aviation Administration's (FAA) air traffic control (ATC) systems found 763 high risk, 504 medium risk, and 2,590 low risk vulnerabilities. Issues included such basic security errors as the use of default passwords in applications, failure to patch applications in a timely manner, and failure to deploy intrusion detection systems (IDS) throughout the organization.

Such shoddy security led inevitably to intrusions. "In February 2009, hackers compromised an FAA public-facing Web application computer and used it as a conduit to gain unauthorized access to personally identifiable information (PII) on 48,000 current and former FAA employees," the report said.

The audit covered June 2008 through January 2009 and was conducted by KPMG. It wasn't published till April 16, 2009.

The report indicates other problems. "In 2008 hackers took control of FAA's critical network servers (domain controllers) and gained the power to shut down the servers, which could cause serious disruption to FAA's mission-support network. In 2006 a viral attack, widely distributed on the Internet, spread to FAA's ATC systems, forcing FAA to shut down a portion of its ATC systems in Alaska."

The report added that the 2008 incident "had not been remediated" by the end of 2008, along with at least 150 other cyber incident alerts.

Join the club

Many vulnerabilities were easily avoidable, but that's not an uncommon problem, even in the private sector. Just last month, Verizon Business' RISK team reported that many businesses that suffered breaches had failed to change default credentials, had failed to patch systems, and had failed to deploy IDS.

In several cases, the report said, companies claimed to have deployed IDS but Verizon Business' team could not find them.

The FAA audit report shows why it might be difficult to find a poorly-deployed IDS. Auditors identified 734 facilities and said that IDS had been deployed to 11 of them. Part of the problem, the report said, is that the FAA does not have an adequate map of its own network.

Next page: Easily avoidable errors