Archive for Thursday, December 13, 2012

Audit questions sufficiency of security on state computers

December 13, 2012, 12:36 p.m. Updated December 13, 2012, 1:41 p.m.


— Kansas doesn’t do enough to secure computer systems used by its state government, making confidential information vulnerable to hackers, a legislative audit said Thursday.

Auditors said their review of practices, computer systems and employee training at nine state agencies showed significant security weaknesses. Their report, presented to legislators, said none of the agencies had done a comprehensive assessment of computer security risks, and auditors were able to crack a significant number of employee passwords at six of them.

The audit said the agencies were reviewed because of the amount of confidential information in their electronic files, including Social Security numbers, data from tax returns and data identifying individuals. The report also said the state provides only limited oversight of agencies’ security controls.

“Some agencies are responsible for protecting millions of confidential records, which makes them a potentially enticing target for hackers,” the audit said.

The public report did not identify specific problems at individual agencies. The 10-member legislative committee that oversees the Legislative Division of Post Audit’s work had a closed session to review confidential reports on each agency, however.

The agencies reviewed included the departments of Commerce, Corrections, Education, Labor and Revenue. The list also included the state treasurer’s office, Juvenile Justice Authority, Board of Indigents’ Defense Services and Department of Wildlife, Parks and Tourism.

“Most agencies’ IT security controls we reviewed were not strong enough to help ensure that confidential information was adequately protected,” the auditors said in their public report.

In a response to the audit, John Byers, the executive branch’s chief computer security official, said decentralization of state computer systems has contributed to security problems and his office is working to address such issues. Gov. Sam Brownback’s administration now has one office overseeing management of all executive branch computer systems.

Revenue Secretary Nick Jordan said in his formal response that his agency has addressed some of the issues raised in the report and “has a solid plan to address all within 6 months.”

Sen. Mary Pilcher-Cook, a Shawnee Republican and chairwoman of the audit committee, said Brownback’s administration is working to address the issues raised in the report. Committee member Terry Bruce, a Hutchinson Republican and the incoming Senate majority leader, said the report changed some officials’ attitudes toward security issues.

“There were some who, they just never took it seriously,” Bruce said, declining to be more specific after the closed meeting. “They’re now correcting that.”

Audit committee member and Rep. John Grange, an El Dorado Republican, acknowledged that agencies probably can and should improve computer security. But he questioned whether the audit overstated the danger, saying the state has yet to see major security problems.

“What does the finding mean?” he said during a break in the committee’s closed meeting. “Does it have any impact on operations?”

The audit said seven of the agencies that were reviewed didn’t force employees to change passwords frequently enough, without recycling passwords. Eight of the nine used weak encryption to store passwords, and four didn’t have settings to lock computer users out after failed attempts to log in.

In addition, one unnamed agency improperly told its staff that it was OK to share their passwords with information technology staff, and another directed employees to give their passwords to supervisors and IT staff.

The agencies also generally did an inadequate job of patching software, and seven of the nine didn’t provide strong enough security training, the auditors said.

“Even agencies that provided regular security training had staff who did not fully understand several critical IT security risks,” the report said.


fan4kufootball 5 years, 5 months ago

Nice - announce to the whole world and paint a target.

verity 5 years, 5 months ago

" . . . saying the state has yet to see major security problems."

Dumb statement for the day. All is takes is one breach. And, yes, there have been security problems in the past. KU wasn't mentioned as being audited but I know security has been breached there.

KiferGhost 5 years, 5 months ago

Surely if we pray hard enough that will fix it.

Cait McKnelly 5 years, 5 months ago

I wonder how much of this has to do with the fact that Anonymous successfully blocked Karl Rove from stealing Ohio (and thus the election) last month? Maybe Brownback is waking up to the fact that there are people out there that can pull a Julian Assange on him? (Oh my god, I would LOVE that. Get a few of those private e-mails between Sammy and David.)
So did the state ever get a new IT director whose degree didn't come out of a Cracker Jack box?

sciencegeek 5 years, 5 months ago

There are people who work in computer security for the state are well aware of the shortcomings shown by this audit, and what is needed to remedy them. Unfortunately, they aren't allowed to implement required changes for several reasons:

  1. Upper management doesn't want to be bothered with security. Using secure passwords and changing them regularly is too much hassle. So, they insist that the security measures be lifted, and they get their way.
  2. State employees are allowed to bypass state systems altogether if they so choose. Again, this is largely because managers and political appointees can dictate to the security professionals. The governor himself doesn't use the secured state email (although that may be more to dodge Request for Information rules than to avoid security measures).
  3. There are automated measures to tighten security holes, but those cost money, and security isn't considered important enough, especially not with the cuts already made and those proposed for the future.
  4. Staffing levels were never adequate, and have been cut massively in the last two years. Those remaining could be more productive if allowed to use efficiency software, but have to do too much monitoring manually (see #3).
  5. Security training for staff is a known shortcoming, but providing it takes time, money and people, and there isn't enough to keep the infrastructure running adequately (see #3).
  6. Until there's a major security breach, it's easy to ignore the warnings of security staff. Considering the limitations they work under, it's a miracle it hasn't happened already. Or maybe it has, but hasn't been discovered yet; that's the worst kind.

As long as the rules can't be enforced, be it because of funding or policy, don't be surprised when anarchy reigns. It's what the hackers are counting on.

ksrover 5 years, 5 months ago

You hit the nail on the head. Reactive, not proactive policies. And it's not just the state.

Commenting has been disabled for this item.