Dimension Data kiosk report released

Report warning of potential failings in the WINZ kiosks is released under official information act

A security report warning the Ministry of Social Development last year of potential failings in its WINZ kiosks has been released under the Official Information Act.

The OIA request was made by Josh Levent on fyi.org.nz - a site which facilitates public freedom of information requests. Levent asked MSD to release all documents relating to security assessments of its systems, although the much publicised Dimension Data report was released on 16 November, Levent says his request has not been met.

“Since I requested all reports containing a review of MSD Information Security in the past five years, am I to conclude that this is the only report relating to information security in the past five years in the entire Ministry?” writes Levent on fyi.org.nz.

Security-Assessment.com (SA), which is owned by Dimension Data, conducted a review of MSD’s public facing kiosks in April 2011.

It produced a report for the MSD later that month which highlighted the lack of separation between the public facing computers and the ministry’s corporate environment as a “critical” vulnerability.

SA recommended the immediate separation of the kiosks and network using a firewall appliance, and further minimising the interaction between the kiosks and MSD’s network.

This vulnerability was exploited by journalist Keith Ng, who was able to gain access to restricted files on MSD's network. It was later revealed that organisations which MSD has a shared IT services agreement with, like CERA and the Childrens Commissioner's Office, were also succeptible to having their files accessed.

MSD has not released any information on how many people were able to access these files in the months following the SA report.

Last month MSD CEO Brendan Boyle admitted the ministry was warned by Dimension Data of the security faults, and may have failed to act on that information.

Security-Assessment.com report:

Comments

DonChristie

1

The MSD has also placed the recent Deloitte report up on their website. It is well written and a lesson to all of us on how organisations, particularly large ones, can lose track of things.

Once point that is made in the report is that from February 2011 over 120 of MSD's IT staff and management were seconded to the rebuilding of systems to help out in Christchurch. This point is not laboured in the report, but anyone who was remotely involved in things EQNZ and CERA will know what a major and important distraction that would have been in many ways.

MSD have been nicely transparent over this issue, which is a credit to the CEO.

Anonymous

3

When do we see the heads rolling at MSD then? Somebody(s) need to be held accountable and made an example of - theres too much complacency within MSD. Suggest you start with AM.

Anonymous

4

Is it just me or is the bigger issue how such sensitive data was stored on open shares accessible to anyone on the MSD network?

Josh Levent

5

First commenter is right. This is definitely way beyond the kiosks. The lack of basic permission controls on the MSD network is worrying, and the lack of admission of this by MSD is either a stupendous case of head in the sand, or an attempt to stone-wall until they can get things cleaned up a bit. I mean, MSD would pretty much have to shut-up shop for a while until they get their entire network upgraded if they admitted the massive failure in security policy.

Anonymous

6

This will keep Dimension Data in lunches for next two years. Well done Nick!

Anonymous

7

It is often said around town that Civil Servants just keep the seat warm and contribute very little.

As a senior manager in the NZ Public IT Sector - I have experienced many long standing personnel more motivated about getting a salary raise and promotion than delivering on the job and focusing on end results.

These are unspoken and difficult issues that need to be addressed forcefully?

There needs to be allot more transparency, it will be interesting to see how many 'affected employees' were in receipt of compensation payments in excess of 100% ?

In summary, the public sector needs to go though a very tough transformation - too many are just coasting and taking the money, various mafias also need to be eliminated.

Anonymous

8

This was a clear report with clear actions needed.Unfortunately there are hundreds of these sorts of reports from suppliers trying to help out - security related and other ICT recommendations - all lying around government departments right now, getting ignored. Most don't get implemented. Reasons cited include lack of funds, other funding priorities, or just simply too much to do with too little staff; and most of the time blame goes to the govt for cutting budgets. More often than not though, it is quite simply a less than constructive attitude towards vendors trying to help. Too many govt. dept ICT teams sit back and play arm chair critics with their suppliers, rather than work together with their suppliers. You can bet the internal response to this report was down to this issue..."DD just wrote a report to support them selling something new to us, but we know better lets think about it" kind of attitude....

Anonymous 3

9

That was a commissioned report not, and this needs to be stressed, an option piece by SA. That means whoever commissioned the report should bear a large measure of the responsibility for not acting on the recommendations.

That said governance around IT projects is very weak in the state sector (and quite possibly beyond) because IT business analysts have a startling ability to write up the solution before defining the problem coupled with a range of functional managers (the supposed clients cum owners of these solutions) who have no concept of what the business process they manage is in terms of the underlying business transaction and where both parties (managers and the BAs) have not been subject to consist performance focussed review. Having performed this oversight function for 10 years it can take a while to get answers that are not defensive or self-serving.

I'm surprised this has been the worst of MSD's problems.

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers

Phantom flying drone shoots improved, more stable video

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in New Zealand