Mad about long lines at the airport? Here's a more frightening reason to hate TSA

With all the attention focused on long lines at security checkpoints at our nation's airports, an audit by the DHS inspector general regarding IT security at TSA has been lost in the shuffle.

It shouldn't be. A word to the wise; if you plan on flying anytime soon, you might want to skip this blog.

Endgadget:

The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff's handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.

What we're talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.

The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It's called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.

In essence, TSA employees haven't been implementing STIP properly -- that is, when they've been implementing it at all.

STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.

The bottom line is that the TSA hasn't followed DHS guidelines for managing STIP equipment, and the risks are grave, as spelled out in the report. "Failure to comply with these guidelines increases the risk that baggage screening equipment will not operate as intended, resulting in potential loss of confidentiality, integrity, and availability of TSA's automated explosive, passenger, and baggage screening programs."

These guys don't even perform the kinds of security checks that most of us have for our personal devices:

In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems -- and much more.

The observed "lack of an established disaster recovery capability" noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.

Not only that, but there was no security incident report process in place, and there was "little employee oversight in maintaining IT systems." And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.

As more and more examples of the ineptness and incredible incompetence of TSA management is exposed, the more that airlines, airports, and the flying public will demand that the TSA be privatized.

But we're talking about tens of thousands of union jobs at stake. And Democrats in Congress would never allow it. So we will continue to be put at risk by an agency that cares more about perks and bonuses than if you live or die.

 

 

With all the attention focused on long lines at security checkpoints at our nation's airports, an audit by the DHS inspector general regarding IT security at TSA has been lost in the shuffle.

It shouldn't be. A word to the wise; if you plan on flying anytime soon, you might want to skip this blog.

Endgadget:

The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff's handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.

What we're talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.

The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It's called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.

In essence, TSA employees haven't been implementing STIP properly -- that is, when they've been implementing it at all.

STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.

The bottom line is that the TSA hasn't followed DHS guidelines for managing STIP equipment, and the risks are grave, as spelled out in the report. "Failure to comply with these guidelines increases the risk that baggage screening equipment will not operate as intended, resulting in potential loss of confidentiality, integrity, and availability of TSA's automated explosive, passenger, and baggage screening programs."

These guys don't even perform the kinds of security checks that most of us have for our personal devices:

In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems -- and much more.

The observed "lack of an established disaster recovery capability" noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.

Not only that, but there was no security incident report process in place, and there was "little employee oversight in maintaining IT systems." And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.

As more and more examples of the ineptness and incredible incompetence of TSA management is exposed, the more that airlines, airports, and the flying public will demand that the TSA be privatized.

But we're talking about tens of thousands of union jobs at stake. And Democrats in Congress would never allow it. So we will continue to be put at risk by an agency that cares more about perks and bonuses than if you live or die.