Heads must roll

November 20th, 2012 at 4:00 pm by David Farrar

David Fisher at NZ Herald reports:

The security review into problems at the public computer kiosks run by the Social Development ministry raised identical problems to those exposed by a blogger 18 months later.

Keith Ng’s discovery of private information sitting on publicly-accessible hard drives was an almost exact match for the April 2011 report by a security company hired to find problems.

The security-assessment.com report found the connection between the corporate computers and public kiosks – planned for offices across the country – was dangerous.

“This lack of separation means that the kiosk terminal has the same level of authority and access as corporate MSD employees.”

It went on to say it created an “inherent level of as it could allow for a member of public to gain access to MSD network resources and services”. …

The type of information at risk was also revealed in the April 2011 security report. It raised concerns about medical information, drug testing results and recorded calls to MSD’s helpdesk as being openly available.

It recommended taking “urgent” action to restrict access.

“A malicious user with access to the operating system of the kiosk is able to gain access to sensitive information kept with the MSD network including medical and drug test results,” it stated.

The review into the problem, released three weeks ago, showed senior managers were not told about the problem.

The April 2011 report was ignored until Mr Ng revealed the holes in MSD’s system.

The staff who were aware of this report and did nothing, clearly must be goneburger – subject to natural justice.

But that does not mean more senior managers are exempt. They may not have known of the recommendations in the report, but were they aware of the fact a report was commissioned? Or were they totally in the dark as to the fact there had even been an issue with the kiosks?

And even if they were totally in the dark, then the question for the senior managers is whether they had a risk reporting framework in place, which required risks such as those identified in the security report to be recorded in a risk register which is reviewed by senior management. If they did not have a comprehensive risk reporting framework in place, then they should consider their own positions.

It is possible that MSD did have a comprehensive risk reporting and mitigation framework in place, and the four staff involved just ignored it. If that is the case, then liability may stop with those staff directly involved. We won’t know until the disciplinary processes are concluded and the full report on what nothing happened is released.

 

Tags: ,

7 Responses to “Heads must roll”

  1. anonymouse (695 comments) says:

    This lack of separation means that the kiosk terminal has the same level of authority and access as corporate MSD employees.”

    But the bigger issue is the entire network architecture of the MSD network,

    There is no reason that all corporate MSD employees should have had access to these documents that contained significant amounts of confidential information.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  2. lastmanstanding (1,210 comments) says:

    the concept of risk in the civil service is non existant. Like they have no risk of losing their job. Like they can and do white ant their Ministers ( most are Lefties).
    Like no ones to blame and if you call for heads to roll you are accussed of having a blame culture. the civil service is neither civil nor does it offer a service. Its just a great big hole sucking tax payers money.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  3. Brian Harmer (686 comments) says:

    My belief from talking to IT people in the civil service is that the original risk free concept of an entirely isolated network for the kiosks was swatted down at the highest levels as unaffordable. The blame (if that’s the game we are playing) belongs with those who put the techies in the impossible position of being required to produce first class security while providing fourth class funding. Cheap/good …. choose one.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  4. scrubone (3,050 comments) says:

    If what Brian says is true then it comes back to anonymouse’s point – setting up a subnetwork should not cost, unless your infrastructure is so primitive that that’s not possible in the first place.

    But the failure here still boggles my mind. The “hack” is quite literally the first thing I’d check if someone told me to test the security.

    I’ve met the sort of moron that builds systems like this. All flash talk and no technical nouse worth a damn. The sort of person who gets promoted far above their actual expertise because they say the right things.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  5. Gerrit (105 comments) says:

    Would really like to see the original independent security audit report to see if the security access was reported as closed.

    For if it was then we have a conspiracy problem.

    Techies created a secure system for the kiosks, independent auditors did not find it open, but someone after the audit changed the settings to enable access.

    I would question how often the system was independently audited against the original report. Who had access to the security of the system and how were the changes made approved and recorded.

    For it is easy to set up a secure system, have independent auditors agree and sign off as it being secure but still have any techie with access and ability to reset the security levels at a later date.

    No regular security review audits and the system is opened up by anyone with malicious intent.

    Conspiracy? Possibly.

    We need to know the original security audit report findings, the frequency of follow up audits plus terms of reference for the follow up audits. Now that would be interesting.

    Wonder how many private and state organizations run full security audits versus the original setup?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  6. mikenmild (10,766 comments) says:

    ‘The staff who were aware of this report and did nothing, clearly must be goneburger – subject to natural justice.’
    LOL – do you even know what natural justice is? Maybe you learned it from Alice in Wonderland: ‘Sentence first; verdict afterwards!’

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  7. Kevin (1,122 comments) says:

    It was clearly a,hack. just because some it professionals managed to hack it 18 months before doesn’t make it any less a hack.

    Known hackers found and easy portal. They were looking for something and didnt find it or just wanted to embarrass the government. Sob…sob…lost opportunities.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote

Leave a Reply

You must be logged in to post a comment.