​

WHEN THE ZOTOB WORM appeared only days after Microsoft released a patch that would have prevented infection, 700 Department of Transportation (DOT) computers were infected after a contractor connected a laptop to the DOT’s network against the department’s policy. This incident, which is recounted in a report on the department’s IT security by the DOT’s Inspector General (IG), is just one indication that some federal IT professionals are having trouble in meeting the challenges of locking down networks.

Here’s another. The IG notes that “about half of all Federal Railroad Administration computers are not subject to routine vulnerability checks because they are being used by employees who telecommute (or travel around the country) for the majority of the year.” As is made clear by the Zotob example, these laptops, “if infected with hostile software, could become conduits for spreading problems to the rest of the networks.”

The IG writes that the department’s 12 Operating Administrations (OAs) were given baseline security standards last year for configuring computers using Windows Server, Linux, Solaris, Cisco routers, and wireless devices. “However, there is little assurance that these security standards have been implemented due to the lack of enforcement.” For example, last summer the DOT’s Office of the CIO requested the OAs for an update on efforts to meet these standards. Only four OAs actually replied, and one of them (the Federal Railroad Administration, or FRA, again) reported that only 29 percent of Windows servers, and only 17 percent of its computers running Linux, were in compliance.

It will come as no surprise, then, to learn that auditors were able to gain root access at FRA “over a critical file server, desktop computers, and a network switch,” thus allowing them to access sensitive data. “Given the interconnectivity among all DOT networks, this security lapse also puts other Departmental systems at risk,” the report notes.