Report: Gaps persist in TSA network security

The Transportation Security Administration has improved its network security, but the agency still cannot ensure that critical computer network operations and data are protected from hackers and can be restored following an emergency, according to a new report from the Homeland Security Department's Office of the Inspector General.

The TSA falls short in developing and implementing processes such as security testing, monitoring with audit trails, configuration and patch management, and password protection, the report said. Also, contingency plans have not been made final nor tested.

"TSA has taken actions and made progress in securing its networks," states the redacted version of the report. "However, TSA can make further improvements to secure its networks."

Computer networks are vital to homeland security for sharing information among government agencies. But they also contain sensitive data that must be protected from unauthorized access and manipulation from hackers and cyberterrorists.

The TSA, which oversees passenger and baggage screening and other security procedures at the nation's airports, shares information with airports through a wide area network. But it lacks a comprehensive security testing program to insure the integrity of that network, the report said.

While some vulnerability scans are performed monthly, TSA does not conduct "penetration testing" and "password analysis," and does not test all devices connected to the network as recommended, the report said.

"Security vulnerabilities continue to exist because TSA has not implemented a comprehensive testing program to identify obsolete software versions or applicable patches on its network devices," the inspector general wrote. The report recommended testing to include "periodic network scanning, vulnerability scanning, penetration testing, password analysis and war driving."

TSA officials agreed with the advice, according to the report.

TSA has strengthened security configurations on its servers and workstations in comparison to what was found in a previous audit, the report said. However, the agency still needs to make improvements including detailed configuration procedures, development of a patch management policy, implementing a strong password policy and secure configuration of routers.

The audit found a list of accounts on two TSA workstations that could be accessed without identification and authentication, a vulnerability which could be exploited by a hacker.

On patch management, the audit discovered that TSA relies on the patch management procedures developed by the contractor responsible for network management, and it recommended that the agency develop its own documented policy.

The inspector general scolded TSA for allowing multiple users to share passwords for several administrative accounts, and it also pointed out that TSA's draft password policy does not comply with the Homeland Security Department's requirements for strong passwords.