[ISN] Computer security lax at some government offices: auditor

[InfoSec News]

http://www.edmontonsun.com/News/Alberta/2007/10/02/4544253.html

By Jeremy Loome
Legislature Bureau
October 2, 2007

Security holes at Albertas government offices and educational 
institutions contributed to computer network breaches at Alberta Health 
and Grant MacEwan College, according to the Auditor General.

They were the most serious among dozens of security protocol issues at 
just about every level of government and the education community. In 
many, the breaches were as simple as not having proper password policies 
in place.

But in the cases of MacEwan College and the health department, the 
breaches potentially exposed their networks; the former left unfettered 
internet access to private financial documents, while the latter logged 
unknown, unauthorized connections during occasional security checks.

Its impossible to tell in either case whether important personal 
information was stolen. But even if there wasnt direct theft, the 
breaches could have opened up both systems to the litany of tools 
hackers have to get more information, and more network access.

If the breach was from a wireless network hub, for example, it could be 
used to set up a ghost site that looks like it belongs to the department 
but is simply there to skim information. People connecting to the 
wireless hub would then actually be connecting to the hackers machine.

What we were referring to in (the health departments) cases were the 
existence of unauthorized devices on the network at some point, and 
given that it was after the fact, you cant tell what the devices were, 
said Viveck Dharap, the executive director of information systems audit 
for the AGs office.

The issue then becomes is it (a hub) that was broadcasting, which you 
could then use to capture information and breach the network.

MacEwans problem may have been even more dangerous: a software glitch 
led to internal financial journals containing personal information and 
credit card numbers to be accessed externally through the colleges 
website.

The problem only occurred for a couple of months in 2005-2006 and was 
corrected once identified by auditor general investigators, said college 
spokesman Gord Turtle.

It was looked into and there was no evidence that the personal 
information was used, and we never got any complaints, he said. But Im 
not trying to minimize the concerns.

The problem briefly reoccurred last year when the site was available 
from within the college but to staff who shouldnt have had access. That 
was a common problem at several institutions, such as the University of 
Calgary and the Alberta Cancer Board, where former staff could still 
access their networks using their old, passwords.

At Alberta Health, the department actually found the unauthorized access 
records during occasional checks. It has agreed to fully automate the 
system so it will know much more quickly if a breach occurs, said 
spokesperson Shannon Haggerty.

Dharap said public bodies still dont quite understand how important 
information technology security is.

It is a recurring theme throughout the report in that most of those we 
audited had concerns over the security of IT and access, he said. And 
the common recommendation was the need to have a control framework in 
place. In may cases they have informal systems and practices but without 
a proper control framework they dont have any guarantees.

Liberal critic Laurie Blakeman called the security concerns frustrating, 
because the auditor has been telling the government this for a number of 
years.