The State Services Commission has ordered Government CIO Colin MacDonald to undertake an urgent review of all pubicly accessible systems operated by the government. A statement sent yesterday evening from Iain Rennie, commissioner and head of State Services says MacDonald will seek assurances from all government agencies that their current security systems are up to scratch .
“In keeping with the increase in responsibility of his role, the GCIO will lead public service agencies in evaluating and strengthening their ICT security measures to ensure that there are no systematic faults that could cause additional security issues,” says Rennie.
Rennie says that following the Privacy Commission’s report on the handling of leaked ACC information earlier this year, the role of the GCIO will be widened to shore up on security of future IT roll outs in the government.
“The use of technology to further improve access to public services is essential but this needs to be delivered while ensuring personal information is protected,” says Rennie.
CIO has contacted MacDonald’s office for comment.
Minister Poorly Advised
Yesterday, Ministry of Social Development (MSD) CEO Brendan Boyle announced that his agency may not have acted on the recommendations made by IT company Dimension Data in a security report handed to the ministry in April 2011.
Paula Bennett, Minister of Social Development, confirmed in Parliament that the report from Dimension Data did cover the security flaws first reported on the Public Address blog.
MSD has retained Deloitte to investigate the security flaws with the kiosks, and then to carry out an audit of the ministry's security system and policies. The MSD expects a report within a fortnight.
During question time in Parliament yesterday, Bennett said it would not be possible to determine how many people had accessed sensitive files using one of WINZ’s public kiosks.
Daniel Ayers, founder and director of security company Elementary Solutions, says it should be possible to recover what activities were carried out on the kiosks and that Bennett has been poorly advised if she thinks otherwise.
“If each kiosk computer has its own hard disk then those hard disks can be examined to identify what user activity has occurred, even months or years into the past,” says Ayers.
“If the kiosks don’t have their own hard disk then forensic traces would be left behind on the Ministyr’s computer system when a kiosk computer attempts or succeeds in connecting.
“If the minister has been told it isn’t possible maybe it is time the ministry found better investigators and advisors.”
Ayers has worked as a senior manager at Deloitte in the late 90s and helped establish a computer forensics practice at McCallum Petterson which would later merge with Deloitte. He says he is dubious about how much the Deloitte’s investigation will cost and the time frame of two weeks given.
He says the report will be basic, and not reveal how compromised MSD and government’s systems truly are; going so far as to release a set of predictions of what the report will contain:
- The network design for the kiosk project was flawed – it did not provide for proper separation between the kiosks and the main ministry computer systems.
- The kiosk computers were included as members of the Active Directory domain when they should have been separate.
- Firewall rules should have prevented kiosk computers from communicating with Ministry internal computer systems.
- The kiosk computers were not properly locked down so as to restrict what members of the public could do.
- Access permissions on internal ministry computer systems were too permissive, meaning that unauthorised persons could access files such as invoices.
- The ministry does not adequately segregate information on its computer systems so that only those staff who require access to various categories of information have that access.
- It should not have been permitted for members of the public to attach USB storage devices (pen drives, etc) to kiosk computers.
- Monitoring of the use of kiosk computers by ministry staff was inadequate.
- The ministry’s computer network does not maintain adequate audit trail information so that investigators can ascertain – after the fact – what activities a computer user has engaged in on ministry computers.
- The ministry is over-reliant on security reviews as a means of ensuring that security risks are addressed.
- The ministry failed to properly address concerns raised in security review reports prepared by external consultants.
“It will be interesting to compare those findings to the Deloitte report, especially in the context of the fees Deloitte charge for their review,” says Ayers.