Holes in wireless networks forced the Transportation Security Administration (TSA) to improve its cyber security program.
That move comes following recommendations of the inspector general (IG) at the Department of Homeland Security (DHS) saying TSA needs to adopt improvements in practices to patch and configure software on its networks.
This is another case where an organization went in and did an internal audit to find holes in its security posture. DHS IG conducted the audit of TSA wireless networks and devices like Blackberries earlier this year to examine protections for sensitive information and other data on TSA networks. The audit revealed TSA protected its wireless network and devices generally with physical and logical security access controls, thereby avoiding any major vulnerabilities inherent with its wireless infrastructure.
“However, we identified high-risk vulnerabilities involving patch and configuration controls,” said the IG office in its report, Improvements in Patch and Configuration Management Controls Can Better Protect TSA’s Wireless Network and Devices.
The IG office (OIG) made specific recommendations to TSA to revise its patch management process to patch software in a timely manner and to enforce security policy for those individuals who do not properly secure their wireless systems and devices.
TSA Administrator John Pistole said his agency already took corrective measures.
“The OIG audit team did identify high-risk vulnerabilities involving patch and configuration controls on two of the four systems tested,” Pistole said. “The OIG recommends, and TSA concurs, that improvements are needed to further enhance the security of wireless components and the back-end infrastructure, and to fully comply with the department’s information security policies. All of the identified findings have been addressed or corrected. The OIG’s efforts are appreciated and have resulted in the increased protection of wireless infrastructure against potential risks, threats, and exploits for both TSA” and the Federal Air Marshal Service (FAMS).
In reports in 2004 and 2005, the DHS IG first pointed out vulnerabilities in the department’s overall wireless networks and devices, which lacked an effective intrusion detection system. TSA began implementing wireless connectivity in 2007, linking TSA personnel at its headquarters to personnel at more than 400 U.S. commercial airports.
TSA has made considerable progress in establishing and securing its own wireless local area networks in that time. But FAMS, an agency housed within TSA, lacks its own wireless system although its air marshals do use Blackberries and other wireless devices.
But at the time of the IG report, TSA had not “fully implemented DHS’ baseline configuration settings on all of its wireless devices and supporting infrastructure,” the report read.
The IG recommendations targeted updating security patches and configurations to prevent potential exploitation of software by hackers seeking to steal TSA information, which potentially could include sensitive information provided by air passengers.
Potential exploits facing unsecured wireless networks include eavesdropping, where hackers can monitor data transmissions; traffic analysis, where hackers can examine the flow of communications between parties; denial of service, where hackers can overload a network by bombarding it with communication requests; masquerading, where a hacker impersonates a legitimate user; and message replay and modification, where hackers transmits or modifies original messages.