The MSD computer system

November 4th, 2012 at 11:52 am by David Farrar

Keith Ng blogged on Friday on the report into their security breach. He notes that itself says the report is damning. He quotes the earlier report:

The most pressing security issue discovered is the lack of network separation of segregation within the environment… This introduces an inherent level of risk as it could allow for a member of the public to gain access to MSD network resources and services. Physical network separation is strongly recommended, and the current solution should not be deployed into a production environment before network separation is achieved.

This is the key. If you have them physically separate, then you solve almost all the issues. It is good that Dimension Data recommended this. The massive question for MSD is why this was not implemented.

So where are we now? Four “employment investigations” are under way. Boyle refused to say anything about these people, so we don’t know their seniority or the nature of their roles. But he did make clear that the decisions didn’t get escalated properly – i.e. Senior managers weren’t involved. He also said that it simply “dropped off the radar” – that it wasn’t a matter of cost-cutting, it was a matter of WTF.

So basically, there is no explanation of why they ignored DiData’s report. Hopefully we’ll find out more once those “employment investigations” are completed and the second phase of the report comes out.

Heads must roll for this. How high up it goes, will depend on the facts. I would make the point though that just because it wasn’t escalated to someone, doesn’t mean they are in the clear. The question should be whether a particular manager should have asked for a copy of the report and reviewed it themselves. I would expect senior managers in the IT area to be managing risk in this area, and to be maintaining a risk register. This should have been on it, and they should have been asking for reports on it. Now if underlings just neglected to enter this issue on the risk register, then maybe senior management not culpable. But if senior IT management were not running a risk register, then they face hard questions also.

NBR have the full report.

Also of interest is this Herald story:

Computer terminals used for 13 years by job seekers at Work and Income offices had the same security flaw as the self-service kiosks at the centre of the major privacy breach at Winz.

An independent report has revealed the computers used between 1998 and 2011 were also connected to Ministry of Social Development’s corporate computer network allowing access to private information.

13 years!!

Tags:

9 Responses to “The MSD computer system”

  1. slijmbal (1,236 comments) says:

    Being a bit pedantic about

    “This is the key. If you have them physically separate, then you solve almost all the issues.”

    It’s not about physical separation as they go on the same network it’s about separating the network in to zones with firewalls (real ones not the ones on your PC) between them. In fact they cannot be physically separated (and do not need to be) without an enormous cost in dual physical networks, double wiring in every office etc

    On that though it is an absolute fundamental of network design in a corporate environment to set up such a zone. This really is huge incompetence.

    Though 1/2 the IT Managers you meet don’t understand this stuff and delegate. They should understand the basics though

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  2. tristanb (1,127 comments) says:

    13 years!!

    It’s all John Key’s fault!

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  3. joe bloggs (126 comments) says:

    13 years?

    Does that mean…??? Say it isn’t so…….! This was going on under Labour’s watch??? …. throughout the Helengrad era ????… Surely not!

    I wonder if Shearer has a video?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  4. Morgy (172 comments) says:

    Shhh….Say nothing and no one will notice so we can still blame Paula :)

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  5. Bill (19 comments) says:

    So,…..if you see the office door is open,……..it’s OK to go in and take boxes of personal files out??

    They should have locked the door, so, it’s their fault??

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  6. Manolo (13,774 comments) says:

    Do you really think heads will roll? Maybe a lowly clerk…..

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  7. davidp (3,581 comments) says:

    13 years? So when a Jacinda Ardern press release says…

    “It demonstrates an extremely careless and cavalier attitude to New Zealanders’ privacy. The Government has again shown it cannot be trusted to manage the most vital information properly.”

    …She is actually talking about the last Labour government. Ruth Dyson was one of the ministers who cannot be trusted because of her cavalier attitude. Who were the others?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  8. gazzmaniac (2,307 comments) says:

    If it has been going on for years then there could be numerous breaches that didn’t make the media.

    And that’s why we don’t trust the government not to fuck it up.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  9. Steve (North Shore) (4,562 comments) says:

    13 years? When you asume something you could make an arse out of yourself.
    2008,” Mr Civil Servant, is eveything ok and running fine?” “Yes Sir, why would you think otherwise?”

    The Public Service is full of lying Liarbore cork soakers

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote