70% of servers contain at least one high-risk or critical security hole
The Federal Aviation Administration has not implemented needed security controls to make sure the systems of the Civil Aviation Registry cannot be breached.“We found multiple weaknesses with the Registry servers, including outdated operating systems and no routine monitoring over sensitive data access. FAA is also not in compliance with DOT policies calling for PII encryption and account access controls,” reads a report made by the Office of the Inspector General for the US Department of Transportation.
“Finally, FAA does not have agreements in place with external parties that receive registry information to protect PII to prevent unauthorized access, as required by the Federal Information Security Management Act (FISMA).”
The report highlights that at least one high-risk or critical vulnerability that could be exploited for unauthorized access exists in 70% of the computer servers that support the Registry.
In addition, software patches were not installed since 2007 on seven servers. Two machines were found to run operating systems that were outdated.
The FAA also fails to monitor access to sensitive Civil Aviation Registry data.
The Office of the Inspector General has found that a number of security controls are missing.
First of all, sensitive information submitted by owners for aircraft registration is not encrypted, which makes it much easier for a malicious third party to access or steal it.
Furthermore, inactive user accounts have not been identified and removed.
“Untimely disabling and removal of accounts could lead to unauthorized access to information and systems by individuals who are no longer authorized. Additionally, FAA has inadequate policies and practices for creating and managing user accounts,” the report reveals.
Finally, the report highlights the fact that multifactor identity authentication is not used to access Registry information.