Audit raises questions on computer security

? A legislative audit in Kansas has raised questions about the security of state computer networks and whether agencies are vulnerable to cyber attacks like a recent one against U.S. government Web sites.

The audit reviewed computer security issues at five state agencies and found some weak password controls and missing security patches for servers. And 39 percent of one unnamed agency’s passwords were cracked within five minutes using free software available on the Internet.

Asked whether other agencies have the same vulnerability, auditor Allan Foster said Friday that the five tested represented a cross-section of state government.

“I would suspect that it’s fairly widespread,” he said.

Officials at several of the agencies said the audit was useful but the issues identified were isolated. They expressed confidence in their security.

Tests were performed on networks for the state pension system, the state treasurer’s office, the court system, the Department of Transportation and the Board of Nursing. The audit did not specify the results for each agency for security reasons.

“They identified some places we could improve,” said Glenn Deck, the pension system’s executive director. “It was helpful.”

Senate Majority Leader Derek Schmidt predicted legislators will discuss further issues raised by the audit.

“This shows that Kansas state government still has a ways to go before it’s tech-savvy and secure,” said Schmidt, an Independence Republican who serves on the committee overseeing auditors’ work. “It doesn’t really matter where the leak in the dike is, what matters is that there are none.”

The audit took about two months and was in the works well before a widespread cyber attack on U.S. and South Korean government Web sites over the Fourth of July weekend. Officials suspect it originated in North Korea.

Anthony Schlinsog, the Kansas Department of Transportation’s bureau chief for computer services, said the agency is increasing password lengths, adjusting a security setting and planning more training because of the audit.

Tara Gillum, spokeswoman for State Treasurer Dennis McKinney, said the audit identified nothing that required an “upheaval” in the office’s computer systems. Kathy Porter, assistant judicial administrator, said the court system does a good job of keeping its systems secure but still welcomed the audit.

“We were happy to have a fresh set of eyes on it,” she said.

Foster said it’s unlikely hackers could steal government funds because of financial controls in state government. But they could access files and personal information if networks aren’t secure enough, he said.