Monday, May 11, 2009

FAA's ATC Applications: Thousands of Vulnerabilities

From, let's see if we can pick out how many scary things are in this one sentence: "A government audit (PDF) has pinpointed more than 3,800 vulnerabilities -- 763 of which are high-risk -- in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk."
  1. There are more than 3800 vulnerabilities
  2. 763 are high risk
  3. The applications are Web-based
  4. I don't like to fly
Ok, I made that last one up, but it's scary, too.

The report has more frightening details, such as a demonstrated lack of access control to the apps, lack of defense against attacks, and poor intrusion-detection practices.

Let me see if I can summarize this: the FAA has vulnerable web applications that are, you know, accessible from
the Web, and not only are they easily exploitable, they are basically under-protected, configured to allow who-knows-whom in, and are missing basic functionality to determine if the bad guys have gotten into the system.

What is the FAA
waiting for? Cyber-terrorists to crash some planes into mountains before they take action? This is unconscionable.

Rather than putting together a cyber-security framework, how about if some of these federal agencies do some rudimentary vulnerability assessment and remediation work?

Seriously - if I ran my corporate info security group like this, two things would happen. Regulators and/or government agencies would cite me, and I would get fired.

But we're still searching grandma at the airport to make sure she's not carrying nail clippers or knitting needles, because that's obviously where the risk is highest. What a boondoggle.

Thousands of Vulnerabilities Detected in FAA's Air Traffic Control Apps

No comments:

Post a Comment

Please tell me what you think.