http://www.duluthsuperior.com/mld/duluthsuperior/news/local/13356945.htm BY PATRICK SWEENEY AND LESLIE BROOKS SUZUKAMO ST. PAUL PIONEER PRESS Dec. 08, 2005 ST. PAUL - Minnesotans' personal information stored on the state's large mainframe computers - including tax return information and bank account numbers - is at risk of being stolen, the Legislative Auditor said Wednesday. An audit conducted in October exposed a variety of vulnerabilities in the mainframe computers, including a lack of basic security features such as eliminating passwords for former employees. The investigation was the latest of three security audits since 2000 that found that, despite some recent improvements, personal information held by the state is "still vulnerable to loss, tampering and unauthorized disclosure." The audit found no evidence that computer hackers or state employees have stolen any of that data. But the auditors did not look for that kind of evidence, and one of the chief investigators for the auditing team said a dis- gruntled employee could download information from the system into a portable storage device without detection. As part of the audit, the investigators performed such a download to prove that it could be done, said Chris Buse, information technology audit manager. No personal information was compromised in the test, he said. Legislative Auditor Jim Nobles told a House-Senate commission that his staff found many shortcomings in the state's security practices for mainframe computers in the state's main data center that store driver's license information, process tax returns and maintain eligibility data on Minnesotans who receive welfare payments or state-subsidized health care. Most of the audit focused on the potential for a few thousand state employees or subcontractors with access to the computer systems to misuse their passwords and, from their offices or homes, penetrate databases beyond their job responsibilities. The audit also found a few ways outside hackers could enter the systems. "There are avenues of access that people can find, and they don't have to be inside the system," Nobles said. The problems within the state system are not uncommon for companies with large computer systems, but their wide scope troubled one corporate security expert. "If I was a person sitting in my chair at home, I'd be pretty alarmed," said Rick Greenwood, the chief technology officer at Roseville-based Shavlik Technologies, a company that sells software that helps large companies patch and protect their networks from computer viruses and worms. The state of the art for computer security is constantly changing, but some of the problems uncovered -- such as leaving passwords unchanged after an employee stops working for the state -- were particularly troubling, Greenwood said. The problems with managing passwords were fixed as soon as they were pointed out, said Steve Stedman, the state's chief technology officer. However, the state still has no automated way of turning off passwords after a worker leaves, so there's a lag, he said. Gopal Khanna, who was hired as Minnesota's chief information officer last summer, said he assumes hackers routinely try to break into the state's computers. But he said he knew of no instances in which computer surveillance systems detected successful intrusions. Minnesota's Web-based vehicle license tab renewal system was shut down in April after another legislative audit found security shortcomings. "While we may disagree with the magnitude of actual risk involved with some of the audit findings and recommendations at a detail level, we accept that the major thrust of the Office of Legislative Auditor report is, on the whole, an accurate assessment," Khanna said. Khanna said that he is moving toward hiring a high-level chief information security officer to oversee access to all the state's computer systems, and that he is preparing an action plan on information security that he will present to state officials by the end of January. Khanna emphasized that his office takes the security questions seriously and is studying ways to safeguard not just the mainframe computers but the state's sprawling network of servers. Both Nobles and Buse warned legislators Wednesday that they will have to be prepared to pay more, particularly in salaries for information security experts, to safeguard computerized data. Problems cited in the most recent audit report include: * Too many state employees have security clearances that give them wide access across multiple state computer systems. * Too many employees have key cards that allow them physical access to mainframe computers. * Some computer accounts allow users access to data without passwords, and software programs that require passwords to be changed regularly are sometimes bypassed. * State employees working from home receive unencrypted data, making it easier for hackers to steal. Computer users, in at least one case, did not change the default password supplied with a software product, making the software easily accessible to hackers. Buse said it is not possible for state officials to shut down most of the computer systems at risk, as they had with the online license tab renewal system. "The guts of government run on these machines," he said. -=- © 2005 Duluth News Tribune and wire service sources. All Rights Reserved. _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Thu Dec 08 2005 - 23:20:38 PST