Report: U.S. DOT needs to improve IT security
As many as 3,000 security weaknesses were identified
Computerworld - During a recent audit of the U.S. Department of Transportation's IT systems, the agency's inspector general was able to take control of a vulnerable server and gain access to sensitive information -- a security lapse that he said could put a number of department systems at risk.
It was one of the findings by DOT Inspector General Kenneth Mead, who uncovered about 3,000 weaknesses in the department's IT systems -- including previously reported vulnerabilities that were never fixed, according to the report (download PDF).
The DOT oversees 10 agencies, including the Federal Railroad Administration (FRA) and the Federal Aviation Administration (FAA). It was an FRA server that the inspector general was able to take over.
"These weaknesses enabled us to gain total [root-level access] control over a critical file server, desktop computers and a network switch," according to Mead's report. "From these computers, we accessed sensitive information that enabled us to gain unauthorized entry from the Internet and obtain sensitive information."
Because of interconnectivity among all DOT networks, the security lapse put other departmental systems at risk, the report said.
The inspector general also noted that the FRA hasn't fully deployed an intrusion-detection system, despite years of effort, meaning the DOT can't effectively protect its computers, according to the report.
Mead also noted that the DOT failed to install software patches on a timely basis, allowing 700 departmental computers to be infected with the recent Zotob worm. The worm was introduced to the DOT's network by a contract employee who connected his laptop to the agency's network in violation of department policy, he said.
"DOT needs to develop a mechanism to ensure that all computers used by telecommuting employees are periodically checked for vulnerabilities and patched with the latest security upgrades," according to the report.
Although the report said that FRA officials are working to eliminate critical vulnerabilities, other agencies have been slow to act. "For example, one of the pending actions is to enhance password security protection in [an FAA] system that contains privacy information," Mead said. "This inexpensive fix would significantly reduce the risk of unauthorized access."
According to the report, the Mead notified DOT officials in 2004 that the FAA needed to improve its IT system security. But the aviation agency didn't start making improvements until this past April.
Mead is now working on two new reports on security problems in the FAA system for maintaining air traffic control surveillance, navigation and communications equipment. According to the inspector general, the FAA failed to address earlier air traffic



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Reducing the Cost and Complexity of Web Vulnerability Management
- Hackers and cybercriminals are constantly refining their attacks and targets; which means you need agile tools to stay ahead of them.
Download this... - Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will... All Malware and Vulnerabilities White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Malware and Vulnerabilities Webcasts