Computers vulnerable at Oregon department

[InfoSec News <isn () c4i org>]

http://www.oregonlive.com/news/oregonian/index.ssf?/xml/story.ssf/html_standard.xsl?/base/front_page/1032782122290112.xml

09/23/02
LES ZAITZ 
leszaitz () news oregonian com 

SALEM -- The state Department of Human Services has systematically
neglected computer security for years, leaving Oregon's largest agency
vulnerable to hackers and thieving employees who can pay themselves
public benefits, according to an internal agency report.

A consultant hired to evaluate the agency's computer safeguards found
lapses at every level. State auditors identified similar problems a
year ago, and agency leaders then promised to fix them.

They still haven't.

"Nothing's been completed," said Cindy Becker, Human Services' chief
administrative officer. "We thought we were fixing things that ended
up not getting fixed."

Becker's boss, Human Services Director Bob Mink, says that he knows
the computers are vulnerable but that he doesn't have the money to
plug the leaks and won't do it unless the Legislature comes up with
the cash. No one knows how much it will cost.

"I will never divert program money to serve people to take care of
these data security issues," Mink said. "We've got security interests
competing against service interests."

The agency, with 9,300 employees and a two-year budget of $8.5
billion, serves Oregon's neediest residents.

Its computers store personal information on more than 900,000 people
who receive state benefits and an unknown number of former recipients.  
The computers also are used to issue millions of dollars in payments
to Oregonians.

Security weaknesses allow outsiders access to much of that
information, according to the consultant, Certicom Corp. The
consultant said hackers could tap into the computers for identity
theft, sabotage or state benefits.

Certicom also concluded that state employees can readily get into
computer files they don't need for their jobs, allowing privacy
breaches or theft.

Crooked employees already have cracked the computers.

State auditors highlighted that problem last year, identifying nine
instances in which agency employees tapped computers to steal
$201,000. In one case, an office clerk making $21,228 a year got
$5,917 in state welfare by failing to disclose she had a job. Her
employer: the Human Services Department's child welfare agency. When
agency officials discovered the theft, they kept the clerk on staff
but arranged for her to repay the money: at $20 a month.

Another employee took information from closed client files to open new
files and create paperwork to make it look as if clients were getting
day-care services from his wife. The employee generated checks
totaling $72,618 during 28 months for nonexistent day care.

Police and state ethics investigators are examining those cases.

Portions of Certicom's July report recently were released to The
Oregonian under the state's public records law.

The report echoed concerns raised last year by state auditors, who
found that Human Services managers needed to make security a priority
to stop employee theft and guard against disclosure of personal
information such as medical records.

Agency officials were surprised by what state auditors found. "I
wasn't aware how vulnerable we were," Mink, the Human Services
director, said in a recent interview.

Mink responded to the August 2001 state audit by pledging to make
security a higher priority and to work to plug security breaches.

However, Mink said he considers lax security a serious problem but
doesn't have the money to fix it. The agency will ask the 2003
Legislature for money, but he and Becker aren't optimistic.

"I don't think there's going to be any type of money for this in the
future," Mink said.

The agency set up a task force last month to address security issues,
focusing on changes that don't require money. Becker said the agency
also might get some help as it meets new federal requirements to
safeguard personal information. An agency proposal for meeting that
requirement includes $2.3 million to improve security.

Certicom and state auditors said in their separate reports that
security is as much an attitude as a computer code. "Executive
management has not made security of its systems a priority," state
auditors reported in August 2001.

The Certicom report agreed. "Security, over and over again, has been
an afterthought," it said.

Certicom described five "absolutely essential" steps to boost
security, starting with a basic plan for how to do that. Certicom
noted the agency doesn't have staff capable of such planning.

The consulting firm found that the agency's computers are vulnerable
to hackers because no security policies are in place, employee
passwords are poorly managed, and encryption is inadequate.

"This is a textbook case of how computer systems are commonly
compromised over the Internet," the report said.

Employees not on guard The report said the agency's lack of concern
about security means employees aren't on guard for potential breaches
and could be tricked into allowing outsiders to reach sensitive
computers.

"Trusting employees are very susceptible to such attacks when security
is not forefront on their minds," it noted.

Employees also can compromise agency computers, Certicom concluded.

"Motivation can include personal hardship, malice or extortion," the
report said. "Targets are most likely to be those that lead to direct
personal gain (e.g. unauthorized funds transfers or theft)."

Human Services' computer security problems date to at least 1991, when
an internal evaluation was done as the agency planned to shift to new
software to secure its electronic files.

"The current system doesn't work very well," the report said. "Giving
100 people the same password doesn't amount to very effective
security."

The current system deployed by the agency hasn't worked much better.  
The one employee who understood the security software left three years
ago. Agency officials can't locate him, and no one else understands
how the agency's computers have been programmed with the code.

In 1998, state auditors identified security gaps and recommended 22
remedies. Three years later, auditors discovered 14 steps still not
finished.

The agency's own auditors in 1999 chronicled the computer security
lapses, but the only recommendation followed was to hire a data
security manager. Scott Burrows took the job in April 2001, but he was
given no budget and no authority to order any changes. He quit two
months ago, and agency officials say they have no immediate plans to
replace him.

"We got off to a bad start," Becker said. "It's been a stop-and-start
thing. It has not gone the way we wanted it to."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.