Just how secure are the government’s IT systems? You’d think that at the
very least, critical systems would be protected and invulnerable, but you’d
be wrong.
On the heels of news that the DoD had been penetrated and the electrical grid suffered a breach comes news that
our air traffic control systems have been attacked numerous times and are
poorly defended.
A security audit of the Web applications used in the Federal Aviation Administration‘s (FAA) air traffic control (ATC) systems found 763 high risk, 504 medium risk, and 2,590 low risk vulnerabilities. Issues included such basic security errors as the use of default passwords in applications, failure to patch applications in a timely manner, and failure to deploy intrusion detection systems (IDS)
Such shoddy security led inevitably to intrusions. “In February 2009, hackers compromised an FAA public-facing Web application computer and used it as a conduit to gain unauthorized access to personally identifiable information (PII) on 48,000 current and former FAA employees,” the report said.
The audit covered June 2008 through January 2009 and was conducted by KPMG. It wasn’t published till April 16, 2009.
The report indicates other problems. “In 2008 hackers took control of FAA’s critical network servers (domain controllers) and gained the power to shut down the servers, which could cause serious disruption to FAA’s mission-support network. In 2006 a viral attack, widely distributed on the Internet, spread to FAA’s ATC systems, forcing FAA to shut down a portion of its ATC systems in Alaska.”
The report added that the 2008 incident “had not been remediated” by the end of 2008, along with at least 150 other cyber incident alerts.
Join the club
Many vulnerabilities were easily avoidable, but that’s not an uncommon problem, even in the private sector. Just last month, Verizon Business’ RISK team
reported that many businesses that suffered breaches had failed to change default credentials, had failed to patch systems, and had failed to deploy IDS.
In several cases, the report said, companies claimed to have deployed IDS but Verizon Business’ team could not find them.
The FAA audit report shows why it might be difficult to find a poorly-deployed IDS. Auditors identified 734 facilities and said that IDS had been deployed to 11 of them. Part of the problem, the report said, is that the FAA does not have an adequate map of its own network.
Next page: Easily avoidable errors
Page 2 of 2
Other easily avoidable errors noted in the report included using the word “PASSWORD” as the password to some applications and failing to patch even critical vulnerabilities in a timely manner.
More complex vulnerabilities could be exploited by internal FAA users, who include not only employees but also contractors and industry partners, the report said.
Attackers could use these vulnerabilities to inject malicious code on FAA users’ computers, the report added, noting this is exactly what happened in February, 2009.
The report also identified organizational issues that affect security. The Department of Transportation’s (DOT) Cyber Security Management Center (CSMC) monitored incidents at the facility level and a contractor monitored security on the network. The CSMC was not communicating well with the FAA’s Air Traffic Organization (ATO).
“According to CSMC and ATO management officials, effective IDS deployment requires close cooperation between CSMC and ATO.
However, this cooperation has been lacking,” the report said.
Finally, there were network design issues. The report distinguished between the ATC systems, which are supposed to be highly secure, and other parts of the FAA’s network that are less secure. Both authorized and unauthorized network connections have made critical parts of the network less secure.
Top five recommendations
The report concluded with five recommendations, all of which Ramesh K.
Punwani, the FAA’s CFO, agreed to on April 16th. The report recommended that applications adhere to government security standards, that the FAA fix its patch management process, that it correct all high risk issues immediately and also establish a process to fix the medium risk and low risk vulnerabilities, and that it establish better communications with the DOT CSMC.
“While FAA believes that the relationship with CSMC is essentially sound, within 30 days, the Chief Information Officer (CIO) along with the CIO for ATO will meet with the CSMC leadership to discuss strengths and weaknesses of interactions between their organizations and identify any areas in need of improvement,” Punwani wrote to the auditors in a note attached to the report.
He added that the FAA will establish SLAs (Service Level Agreements) with all FAA lines of business and will define a cyber incident remediation process by August, 2009.
Brian Barner, principle at ValueBridge Advisors and an ISACA volunteer leader, said that companies that implement best practices do better in audits and in self-assessments.