Report: U.S. DOT needs to improve IT security

Computerworld - During a recent audit of the U.S. Department of Transportation's IT systems, the agency's inspector general was able to take control of a vulnerable server and gain access to sensitive information -- a security lapse that he said could put a number of department systems at risk.
It was one of the findings by DOT Inspector General Kenneth Mead, who uncovered about 3,000 weaknesses in the department's IT systems -- including previously reported vulnerabilities that were never fixed, according to the report (download PDF).
The DOT oversees 10 agencies, including the Federal Railroad Administration (FRA) and the Federal Aviation Administration (FAA). It was an FRA server that the inspector general was able to take over.
"These weaknesses enabled us to gain total [root-level access] control over a critical file server, desktop computers and a network switch," according to Mead's report. "From these computers, we accessed sensitive information that enabled us to gain unauthorized entry from the Internet and obtain sensitive information."
Because of interconnectivity among all DOT networks, the security lapse put other departmental systems at risk, the report said.
The inspector general also noted that the FRA hasn't fully deployed an intrusion-detection system, despite years of effort, meaning the DOT can't effectively protect its computers, according to the report.
Mead also noted that the DOT failed to install software patches on a timely basis, allowing 700 departmental computers to be infected with the recent Zotob worm. The worm was introduced to the DOT's network by a contract employee who connected his laptop to the agency's network in violation of department policy, he said.
"DOT needs to develop a mechanism to ensure that all computers used by telecommuting employees are periodically checked for vulnerabilities and patched with the latest security upgrades," according to the report.
Although the report said that FRA officials are working to eliminate critical vulnerabilities, other agencies have been slow to act. "For example, one of the pending actions is to enhance password security protection in [an FAA] system that contains privacy information," Mead said. "This inexpensive fix would significantly reduce the risk of unauthorized access."
According to the report, the Mead notified DOT officials in 2004 that the FAA needed to improve its IT system security. But the aviation agency didn't start making improvements until this past April.
Mead is now working on two new reports on security problems in the FAA system for maintaining air traffic control surveillance, navigation and communications equipment. According to the inspector general, the FAA failed to address earlier air traffic