Earlier this month the Government Accountability Office issued a 46-page report outlining security vulnerabilities in critical Federal Aviation Administration (FAA) systems. The report concerns the national airspace system (NAS) used to track and direct public and private aircraft. Many of these issues are common in all types of organizations, so look over the FAA’s list of shortcomings and see how many might be affecting your company.
Interconnectivity: The NAS is not connected to the Internet, but it is connected to outside networks. The report indicates there are too many unnecessary connections between the NAS and these other networks. Security shortcomings in the connected networks could open access points into the NAS, leaving it vulnerable to attack.
Passwords: The report found some servers did not have sufficiently strict password requirements. The password requirements are actually less strict than I usually recommend.The FAA’s minimum number of characters in a password is eight. For maximum security your organization should require a minimum of twelve characters. Passwords should have at least one upper and lower case letter, and should contain numbers and special characters. The passwords should also automatically expire after a certain length of time.
User Authentication: Regulations state only authorized users can have access to the system, and users should have the minimum number of permissions required to perform their duties. The investigators found users with excessive permissions and improper security documentation.
Encryption: Another alarming detail is the FAA did not always ensure sensitive data was encrypted during storage and/or transmission. The investigation found network devices supporting certain systems did not encrypt authentication data, and some systems used weak encryption to store passwords.
Auditing & Monitoring: The report also indicated the FAA did not have adequate systems in place to monitor network traffic or ensure the NAS was logging security-related events. If an attack were to occur, the administrators may not be able to detect and respond to malicious activities in time.
Patching: Investigators found the FAA did not always take steps to ensure key systems were fully patched or kept up-to-date. Some systems were missing patches dating back more than three years, and some servers supporting key systems were so old they had reached end-of-life and were no longer supported. This leaves the systems vulnerable to security loopholes and exploits that have been fixed under newer software releases.
Unlike the FAA, lives may not depend on your network security. That doesn’t mean your organization can afford to relax. Ensuring your network is hardened against hackers is an essential part of running a business.