http://www.edmontonsun.com/News/Alberta/2007/10/02/4544253.html By Jeremy Loome Legislature Bureau October 2, 2007 Security holes at Albertas government offices and educational institutions contributed to computer network breaches at Alberta Health and Grant MacEwan College, according to the Auditor General. They were the most serious among dozens of security protocol issues at just about every level of government and the education community. In many, the breaches were as simple as not having proper password policies in place. But in the cases of MacEwan College and the health department, the breaches potentially exposed their networks; the former left unfettered internet access to private financial documents, while the latter logged unknown, unauthorized connections during occasional security checks. Its impossible to tell in either case whether important personal information was stolen. But even if there wasnt direct theft, the breaches could have opened up both systems to the litany of tools hackers have to get more information, and more network access. If the breach was from a wireless network hub, for example, it could be used to set up a ghost site that looks like it belongs to the department but is simply there to skim information. People connecting to the wireless hub would then actually be connecting to the hackers machine. What we were referring to in (the health departments) cases were the existence of unauthorized devices on the network at some point, and given that it was after the fact, you cant tell what the devices were, said Viveck Dharap, the executive director of information systems audit for the AGs office. The issue then becomes is it (a hub) that was broadcasting, which you could then use to capture information and breach the network. MacEwans problem may have been even more dangerous: a software glitch led to internal financial journals containing personal information and credit card numbers to be accessed externally through the colleges website. The problem only occurred for a couple of months in 2005-2006 and was corrected once identified by auditor general investigators, said college spokesman Gord Turtle. It was looked into and there was no evidence that the personal information was used, and we never got any complaints, he said. But Im not trying to minimize the concerns. The problem briefly reoccurred last year when the site was available from within the college but to staff who shouldnt have had access. That was a common problem at several institutions, such as the University of Calgary and the Alberta Cancer Board, where former staff could still access their networks using their old, passwords. At Alberta Health, the department actually found the unauthorized access records during occasional checks. It has agreed to fully automate the system so it will know much more quickly if a breach occurs, said spokesperson Shannon Haggerty. Dharap said public bodies still dont quite understand how important information technology security is. It is a recurring theme throughout the report in that most of those we audited had concerns over the security of IT and access, he said. And the common recommendation was the need to have a control framework in place. In may cases they have informal systems and practices but without a proper control framework they dont have any guarantees. Liberal critic Laurie Blakeman called the security concerns frustrating, because the auditor has been telling the government this for a number of years. __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Tue Oct 02 2007 - 23:27:27 PDT