We’ve questioned whether or not IT departments are too slow to patch Windows, and then took a survey that basically told us what we know, that patching Windows is a necessary evil and a huge time sink for IT. Well it must be a royal pain for TSA IT as well. DHS Office of Inspector General (OIG) dinged TSA in a recent security audit over lapses in patch management and configuration controls and made recommendations to better protect TSA’s wireless network and devices.
While the report redacts the actual numbers, can you believe that some TSA laptops are running the low hanging fruit and one of the most hacked OS of all times, Windows XP? Windows 7 has been out since October 2009, but XP? Come on! Surely the government can afford to upgrade from such an insecure OS? Maybe TSA or DHS is unaware that Microsoft wants XP to die and even set a kill date? Perhaps the TSA should consider consulting the NSA’s Best Practices Datasheet [PDF] and strive for the minimum recommended security to keep even home networks secure? The NSA says Vista and Windows 7 are more secure than XP; 64-bit versions are better yet and “substantially increases the effort of an adversary to attain” a “root compromise.”
The OIG recommended for TSA to revise its patch management process and update patches more frequently. The report [PDF] “identified high-risk vulnerabilities involving patch and configuration controls. Improvements are needed to enhance the security of wireless components to fully comply with the department’s information security policies and better protect TSA’s and Federal Air Marshal Service’s wireless infrastructure against potential risks, threats, and exploits.”