At the TSA’s headquarters, the audit identified a number of high-risk vulnerabilities on Microsoft Windows XP laptops and the BlackBerry enterprise server (BES) supporting BlackBerry devices. “Unless addressed immediately, each instance of vulnerability provides an attacker with the potential opportunity to exploit a system”, the IG warned.
In addition, the audit found that there were vulnerabilities in the TSA’s software patch management process, but the nature of the problem was redacted in the public version of the audit.
The IG recommended that the TSA chief information officer revise the patch management process to ensure that security patches are deployed in a timely manner “to mitigate the vulnerabilities identified and better secure headquarters wireless systems." TSA concurred with the recommendation and said it has hired a new service provider to address the backlog of software patches.
The audit also found that TSA had not complied with DHS requirements for baseline configuration controls for wireless devices and systems. “Specific noncompliance issues related to local audit logging functions, a weak authentication protocol, and terminal services. Furthermore, we reviewed the security controls for one of TSA’s routers and identified noncompliance issues regarding the disabling of unused router interfaces and a disallowed service”, the IG observed.
The IG recommended that TSA take “corrective measures to address instances of noncompliance with DHS security policy on TSA wireless systems and devices.” TSA concurred with the recommendation and said it uses file encryption, which “mitigates the risk that could be caused by not adhering to the DHS policy.”
At the same time, the IG did not detect any high-risk vulnerabilities on TSA’s wireless network infrastructure or rogue wireless networks or devices attributed to TSA. The audit did detect wireless signal leakage, but this leakage was not a “security risk because of the mitigating controls implemented.”