During a recent audit of the U.S. Department of Transportation’s IT systems, the agency’s inspector general was able to take control of a vulnerable server and gain access to sensitive information — a security lapse that he said could put a number of department systems at risk.
It was one of the findings by DOT Inspector General Kenneth Mead, who uncovered about 3,000 weaknesses in the department’s IT systems — including previously reported vulnerabilities that were never fixed, according to the report.
The DOT oversees 10 agencies, including the Federal Railroad Administration (FRA) and the Federal Aviation Administration (FAA). It was an FRA server that the inspector general was able to take over.
“These weaknesses enabled us to gain total [root-level access] control over a critical file server, desktop computers and a network switch,” according to Mead’s report. “From these computers, we accessed sensitive information that enabled us to gain unauthorized entry from the Internet and obtain sensitive information.”
Because of interconnectivity among all DOT networks, the security lapse put other departmental systems at risk, the report said.
The inspector general also noted that the FRA hasn’t fully deployed an intrusion-detection system, despite years of effort, meaning the DOT can’t effectively protect its computers, according to the report.
Mead also noted that the DOT failed to install software patches on a timely basis, allowing 700 departmental computers to be infected with the recent Zotob worm. The worm was introduced to the DOT’s network by a contract employee who connected his laptop to the agency’s network in violation of department policy, he said.
“DOT needs to develop a mechanism to ensure that all computers used by telecommuting employees are periodically checked for vulnerabilities and patched with the latest security upgrades,” according to the report.
Although the report said that FRA officials are working to eliminate critical vulnerabilities, other agencies have been slow to act. “For example, one of the pending actions is to enhance password security protection in [an FAA] system that contains privacy information,” Mead said. “This inexpensive fix would significantly reduce the risk of unauthorized access.”
According to the report, the Mead notified DOT officials in 2004 that the FAA needed to improve its IT system security. But the aviation agency didn’t start making improvements until this past April.
Mead is now working on two new reports on security problems in the FAA system for maintaining air traffic control surveillance, navigation and communications equipment. According to the inspector general, the FAA failed to address earlier air traffic control systems security recommendations.
For example, the FAA collected system security information on only about half of the systems used to support high-altitude air traffic services, meaning other critical systems were not reviewed. Because it has not yet analyzed the information it collected, it hasn’t determined what needs to be done to correct any problems. FAA officials also haven’t performed independent testing on-site of its high risk systems, something that’s required by law, according to the report.
In addition to addressing specific vulnerabilities, the DOT also needs to provide more oversight of its IT investments at the FAA, the report said.
“We reviewed 16 FAA major acquisitions and found that nine projects had experienced schedule delays of two to 12 years and 11 projects had experienced cost growth of about US$5.6 billion [from $8.9 billion to $14.5 billion],” Mead said, adding that air traffic control modernization projects still face performance problems, cost increases and schedule delays.
According to the inspector general, the DOT’s CIO received a draft of the report, agreed with Mead’s findings and recommendations, and plans to provide written comments describing exactly what the DOT is doing to correct the problems.
“We have reviewed the report, and we will provide the [inspector general] with a response shortly,” DOT spokesman Bill Mosley.
By Linda Rosencrance, Computerworld