Vulnerabilities persist in TSA’s Security Technology Integrated Program
- By Derek Major
- May 18, 2016
What: “IT Management Challenges Continue in TSA’s Security Technology Integrated Program,” an audit by the Department of Homeland Security’s Office of the Inspector General.
Why: The audit was conducted to follow up on deficiencies within the Transportation Security Administration’s Security Technology Integrated Program (STIP), the system that enables the remote management of this transportation security equipment by connecting it to a centralized server that supports data management, aids threat response and facilitates equipment maintenance, including automated deployment of software and configuration changes.
Findings: The audit found deficiencies in STIP security controls, including unpatched software and inadequate contractor oversight. When 74 servers were tested at Orlando International Airport and two DHS data centers in August and September 2015, 71 had more than 12,000 vulnerabilities. Three servers had no vulnerabilities. STIP was also running on Windows Server 2008, rather than having been upgraded to Windows Server 2012.
TSA has not established an effective disaster recovery capability for STIP servers at one of its data centers, physical security deficiencies were found at Orlando International Airport and vulnerability reporting was deemed inadequate.
Additionally, in its contracts, TSA did not ensure that TSA staff would have administrator rights, such as user IDs and passwords, to access and maintain security on STIP airport servers.
Takeaway: Because TSA typically has not managed STIP equipment as IT assets, it did not include security requirements its STIP server contracts.
DHS OIG made 11 recommendations for the TSA, including ensuring that STIP servers have the latest software patches installed so that identified vulnerabilities will not be exploited; ensuring IT security testing is performed so that STIP servers are not deployed with known technical vulnerabilities; and implementing a contractor oversight process so that only authorized and approved software, along with timely updates, is installed on STIP airport servers.
The TSA concurred with all 11 recommendations.
Get more: Read the full report here.
Derek Major is a former reporter for GCN.