- There are more than 3800 vulnerabilities
- 763 are high risk
- The applications are Web-based
- I don't like to fly
The report has more frightening details, such as a demonstrated lack of access control to the apps, lack of defense against attacks, and poor intrusion-detection practices.
Let me see if I can summarize this: the FAA has vulnerable web applications that are, you know, accessible from the Web, and not only are they easily exploitable, they are basically under-protected, configured to allow who-knows-whom in, and are missing basic functionality to determine if the bad guys have gotten into the system.
What is the FAA waiting for? Cyber-terrorists to crash some planes into mountains before they take action? This is unconscionable.
Rather than putting together a cyber-security framework, how about if some of these federal agencies do some rudimentary vulnerability assessment and remediation work?
Seriously - if I ran my corporate info security group like this, two things would happen. Regulators and/or government agencies would cite me, and I would get fired.
But we're still searching grandma at the airport to make sure she's not carrying nail clippers or knitting needles, because that's obviously where the risk is highest. What a boondoggle.
Thousands of Vulnerabilities Detected in FAA's Air Traffic Control Apps