Don’t know if I’ll ever be secure again

“Transportation Security Administration” may not actually refer to security, it seems, according to a report issued by the Office of Inspector General (OIG) of the Department of Homeland Security (DHS). The report, “IT Management Challenges Continue in TSA’s Security Technology Integrated Program,” details the results of an audit, conducted primarily to follow up on previously reported “deficiencies in information technology (IT) security controls of the Security Technology Integrated Program (STIP), a data management system that connects airport transportation security equipment (TSE) to servers.”

The gist of the report, if the prior paragraph wasn’t gasp-worthy enough, was that the TSA did not follow DHS’s recommendations or departmental guidance on managing information security. Adding insult to injury, senior-level TSA staff advised that STIP servers not be classified as IT investments, meaning that IT security requirements were not included in STIP procurement contracts in the first place, and unsupported (and thus insecure) operating systems were in use.  In other words, the TSA chose to disregard practices that keep the confidentiality, integrity, and availability of fliers and their sensitive information safe and secure.

There’s so many times I’ve let you down

Server software vulnerabilities, a lack of an established disaster recovery capability, physical security deficiencies, and inadequate vulnerability reporting were just some of the failures of the TSA related to its IT systems. The audit identified 12,282 “high” server vulnerabilities during the August-September 2015 evaluation. In general, assessments and security tests were not conducted prior to deployment, even leaving a 1999 vulnerability operable on one system. Only 51% of servers had had vulnerability assessments (no mention of what kind of “assessment” was included in the report), and the paragraph on “inadequate vulnerability reporting” interchanges “assessment” with “scanning,” indicating that even the guidance could be baseline, at best. At a minimum, the TSA could have kept up with patching, since the #1 rule of software is to patch quickly and consistently. Apparently the TSA thought patching was more trouble than it’s worth too. And those are the known vulnerabilities TSA didn’t even need to assess on its own.

Even if information security is poor, surely the TSA knows something about physical security! No so fast. Switches were not properly secured, and they were kept in a shared space that could be accessed by any airport personnel. A complete inventory of switches had not been conducted, so TSA staff couldn’t even account for the number or physical locations of switches requiring security.

So many times I’ve played around

One of the most concerning findings was the failure to change administrator passwords for all STIP servers. The report adds, “so that contractors no longer have full control over this equipment at airports,” but didn’t mention the ease with which threat actors—onsite or in Oman—can compromise default admin passwords. If passwords haven’t been changed, what’s the likelihood that passwords are unique to each admin or that least privilege has been implemented? Who is monitoring admin accounts? Above we see that vulnerability assessments aren’t taking place, so it’s logical to conclude that no one at TSA is assessing admin accounts. For anyone paying attention, though, compromised credentials offer the keys to the kingdom, which means that if a threat actor is in the TSA’s systems, they’re in and no one’s paying attention.

If this all isn’t bad enough, no “established STIP disaster recovery capability” was found during the audit. At the issuance of the report, the TSA still had not accounted for the possibility of a natural or manmade disaster. Despite history.

In all, DHS issued eleven recommendations:

“1: Ensure that IT security controls are included in STIP system design and implementation so that STIP servers are not deployed with known technical vulnerabilities.

2: Ensure that STIP servers use approved operating systems for which the Department has established minimum security baseline configuration guidance.

3: Ensure that STIP servers have the latest software patches installed so that identified vulnerabilities will not be exploited.

4: Ensure that IT security testing is performed so that STIP servers are not deployed with known technical vulnerabilities.

5: Ensure that authorized TSA staff obtain and change administrator passwords for all STIP servers at airports so that contractors no longer have full control over this equipment at airports.

6: Implement a contractor oversight process so that only authorized and approved software, along with timely updates, is installed on STIP airport servers.

7: Inventory all locations at Orlando International Airport housing STIP servers and switches and ensure that these locations comply with DHS policy concerning physical security controls.

8: Ensure an adequate operational recovery capability for STIP servers at DC1 in case DC2 becomes inaccessible.

9: Establish a process for providing STIP server vulnerability assessment reports to the Department so that DHS leadership may adequately monitor system compliance capability.

10: Ensure that IT security requirements are included in equipment procurement contracts for IT components of STIP and passenger and checked baggage screening equipment as required.

11: Institute controls so that all IT costs associated with STIP are accurately captured and reported in annual budget submissions as required.”

Now the time has come to leave you

Of the 11 grievances, number 5, the one that offers the keys to the kingdom, is the only one that remains “unresolved and open.” According to the report, the agency is taking steps to address the other 10 recommendations and is moving towards a more secure IT environment. In the meantime, and certainly until an updated report on the state of security at the TSA has been issued, travelers may have slightly more to worry about than long lines and restricting themselves to 3 oz. bottles of shampoo.