http://www.oregonlive.com/news/oregonian/index.ssf?/xml/story.ssf/html_standard.xsl?/base/front_page/1032782122290112.xml 09/23/02 LES ZAITZ leszaitzat_private SALEM -- The state Department of Human Services has systematically neglected computer security for years, leaving Oregon's largest agency vulnerable to hackers and thieving employees who can pay themselves public benefits, according to an internal agency report. A consultant hired to evaluate the agency's computer safeguards found lapses at every level. State auditors identified similar problems a year ago, and agency leaders then promised to fix them. They still haven't. "Nothing's been completed," said Cindy Becker, Human Services' chief administrative officer. "We thought we were fixing things that ended up not getting fixed." Becker's boss, Human Services Director Bob Mink, says that he knows the computers are vulnerable but that he doesn't have the money to plug the leaks and won't do it unless the Legislature comes up with the cash. No one knows how much it will cost. "I will never divert program money to serve people to take care of these data security issues," Mink said. "We've got security interests competing against service interests." The agency, with 9,300 employees and a two-year budget of $8.5 billion, serves Oregon's neediest residents. Its computers store personal information on more than 900,000 people who receive state benefits and an unknown number of former recipients. The computers also are used to issue millions of dollars in payments to Oregonians. Security weaknesses allow outsiders access to much of that information, according to the consultant, Certicom Corp. The consultant said hackers could tap into the computers for identity theft, sabotage or state benefits. Certicom also concluded that state employees can readily get into computer files they don't need for their jobs, allowing privacy breaches or theft. Crooked employees already have cracked the computers. State auditors highlighted that problem last year, identifying nine instances in which agency employees tapped computers to steal $201,000. In one case, an office clerk making $21,228 a year got $5,917 in state welfare by failing to disclose she had a job. Her employer: the Human Services Department's child welfare agency. When agency officials discovered the theft, they kept the clerk on staff but arranged for her to repay the money: at $20 a month. Another employee took information from closed client files to open new files and create paperwork to make it look as if clients were getting day-care services from his wife. The employee generated checks totaling $72,618 during 28 months for nonexistent day care. Police and state ethics investigators are examining those cases. Portions of Certicom's July report recently were released to The Oregonian under the state's public records law. The report echoed concerns raised last year by state auditors, who found that Human Services managers needed to make security a priority to stop employee theft and guard against disclosure of personal information such as medical records. Agency officials were surprised by what state auditors found. "I wasn't aware how vulnerable we were," Mink, the Human Services director, said in a recent interview. Mink responded to the August 2001 state audit by pledging to make security a higher priority and to work to plug security breaches. However, Mink said he considers lax security a serious problem but doesn't have the money to fix it. The agency will ask the 2003 Legislature for money, but he and Becker aren't optimistic. "I don't think there's going to be any type of money for this in the future," Mink said. The agency set up a task force last month to address security issues, focusing on changes that don't require money. Becker said the agency also might get some help as it meets new federal requirements to safeguard personal information. An agency proposal for meeting that requirement includes $2.3 million to improve security. Certicom and state auditors said in their separate reports that security is as much an attitude as a computer code. "Executive management has not made security of its systems a priority," state auditors reported in August 2001. The Certicom report agreed. "Security, over and over again, has been an afterthought," it said. Certicom described five "absolutely essential" steps to boost security, starting with a basic plan for how to do that. Certicom noted the agency doesn't have staff capable of such planning. The consulting firm found that the agency's computers are vulnerable to hackers because no security policies are in place, employee passwords are poorly managed, and encryption is inadequate. "This is a textbook case of how computer systems are commonly compromised over the Internet," the report said. Employees not on guard The report said the agency's lack of concern about security means employees aren't on guard for potential breaches and could be tricked into allowing outsiders to reach sensitive computers. "Trusting employees are very susceptible to such attacks when security is not forefront on their minds," it noted. Employees also can compromise agency computers, Certicom concluded. "Motivation can include personal hardship, malice or extortion," the report said. "Targets are most likely to be those that lead to direct personal gain (e.g. unauthorized funds transfers or theft)." Human Services' computer security problems date to at least 1991, when an internal evaluation was done as the agency planned to shift to new software to secure its electronic files. "The current system doesn't work very well," the report said. "Giving 100 people the same password doesn't amount to very effective security." The current system deployed by the agency hasn't worked much better. The one employee who understood the security software left three years ago. Agency officials can't locate him, and no one else understands how the agency's computers have been programmed with the code. In 1998, state auditors identified security gaps and recommended 22 remedies. Three years later, auditors discovered 14 steps still not finished. The agency's own auditors in 1999 chronicled the computer security lapses, but the only recommendation followed was to hire a data security manager. Scott Burrows took the job in April 2001, but he was given no budget and no authority to order any changes. He quit two months ago, and agency officials say they have no immediate plans to replace him. "We got off to a bad start," Becker said. "It's been a stop-and-start thing. It has not gone the way we wanted it to." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 02:50:05 PDT