[ISN] KDHE computers at 'high risk'

From: InfoSec News (isn@private)
Date: Fri Oct 24 2003 - 00:34:27 PDT

  • Next message: InfoSec News: "[ISN] Brazil Becomes a Cybercrime Lab"

    http://www.ljworld.com/section/stateregional/story/149509
    
    By Scott Rothschild
    Journal-World 
    October 23, 2003 
    
    Topeka - The state agency in charge of protecting the public's health
    and safety is having trouble protecting its own computers and
    information system, according to an audit released Wednesday.
    
    Operations of the Kansas Department of Health and Environment "were at
    an extremely high risk of fraud, misuse or disruption," auditors with
    the Legislative Division of Post Audit concluded. "Computer data --
    much of it confidential -- was at an equally high risk of loss or
    inappropriate disclosure."
    
    KDHE is a large regulatory agency that collects records and
    information about Kansans on everything from child-care licensing to
    vital statistics. The agency is the leader for dealing with hazardous
    wastes, epidemics, immunizations and, most recently, the state's
    bioterrorism program. It is the official custodian of Kansas birth
    certificates.
    
    The problems with security of information at KDHE were so severe that
    auditors met Aug. 14 with KDHE Secretary Rod Bremby to go over their
    initial findings. That was an unusual measure because auditors
    normally disclose the audit findings to agencies when their reports
    are in final draft.
    
    Auditors found that KDHE's computers easily could be breached by
    hackers, its computer anti-virus system was "badly flawed" and its
    security systems were generally inadequate or missing.
    
    Using a standard password-cracking software, auditors were able to
    determine more than 1,000 employee passwords, which is about 60
    percent of the total, in three minutes. Ninety percent of the
    passwords were cracked within 11 hours.
    
    Given the simple pattern to KDHE computer passwords, current or former
    employees would have been able to log onto any computer.
    
    "This weakness put the entire network and all agency data at severe
    risk," auditors reported.
    
    During one lunch hour, auditors easily walked into empty offices where
    computers were logged on to the network and unlocked.
    
    The audit also revealed that many agency computers were infected with
    computer viruses that could send files and passwords to computer
    addresses outside the agency, and some 200 computers had no anti-virus
    software installed.
    
    In case of a disaster, the audit said, KDHE had developed a plan in
    1999 for Y2K to continue operations but hadn't updated that
    contingency plan since then. That plan leftover from Y2K "would be
    nearly useless in an ordinary disaster," the audit said.
    
    After meeting with auditors, KDHE officials "acted strongly and
    swiftly to address these problems," according to the audit report.
    
    KDHE hired a new security officer, increased controls on computers,
    beefed up training of employees and hired a consultant to help with
    security. But the auditors said that KDHE still had a long way to go.
    
    Even so, just days after the Aug. 14 meeting, the Sobig computer virus
    that spread worldwide infected the KDHE computers, forcing the agency
    to temporarily shut down the external e-mail systems.
    
    Bremby said that he agreed with the audit's findings and
    recommendations and that he hoped to have an action plan to give to
    the Legislative Division of Post Audit by January.
    
    "Each employee will be informed that they are personally a part of the
    KDHE security team, that they are responsible and do make a
    difference," he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 24 2003 - 03:28:43 PDT