Audit scorches DOT security

[William Knowles <wk () C4I ORG>]

http://www.fcw.com/fcw/articles/2000/1002/news-dotsec-10-02-00.asp

BY Paula Shaki Trimble
10/02/2000

Information security weaknesses at the Federal Aviation Administration
pale in comparison to the network vulnerabilities discovered at other
Transportation Department administrations, according to a report
released last week by DOTs Office of Inspector General.

"I think FAAs in better shape than the rest of the department
considerably better shape," said Kenneth Mead, DOTs inspector general,
speaking to the House Science Committee Sept. 27. The committee was
examining security problems in computers used for air traffic control
as well as failures to comply with FAA policies requiring background
checks for employees and contractors given access to the systems.

The General Accounting Office informed the FAA in December 1999 that
the agency had failed to conduct background checks on contractors
hired to test and fix mission-critical systems for the Year 2000
rollover, said FAA Administrator Jane Garvey during the hearing.
Professional hackers hired later to test the security of critical
information technology systems also did not receive proper clearance.

In response, the FAA, under the direction of DOTs chief information
officer, completed thousands of security clearances for IT
contractors, and audited and fixed IT security problems in systems at
all FAA facilities. FAAs efforts to improve computer and personnel
security could set an example for the rest of the agency, Mead said.

During a nine-month review of computer networks at DOT headquarters,
the IG found serious weaknesses in the agencys firewall security and
lax enforcement of Internet security requirements specified by DOTs
CIO. The IG found that unauthorized users within and outside the
agency could access private Web sites.

However, of the computers the investigators were able to penetrate,
none were at the FAA or the U.S. Coast Guard, where DOTs most critical
systems are located. George Molaski, DOTs CIO, said he is trying to
get the resources allocated at the departmental level to assist the
smaller administrations in implementing the required security systems
and policy. Molaski has asked for an additional five IT security
personnel at headquarters in the departments $1.1 million budget
request for fiscal 2001.

Although Transportation Secretary Rodney Slater has strived to create
a unified DOT, some of the Transportation administrations "still
believe its the wild, wild West and they can do what they want,"
Molaski said. "Security changes the dynamic because were all tied to
the same backbone, and a vulnerability on one [administration] affects
all the other [administrations]."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".