Security documents at risk on federal site: Audit

[InfoSec News <isn () c4i org>]

http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1035777852292&call_pageid=968332188854&col=968705899037/

Feb. 16, 2003. 06:08 PM 
FROM CANADIAN PRESS

In a major security breach, Transport Canada posted up to 5,000
confidential documents - some related to airport security - on a
widely accessible database that is vulnerable to hackers, a new audit
has found.

"The scale of error represents a significant contravention of
government information security and privacy policy," says the internal
audit of the department's new information system.

The investigation determined that about one of every 10 documents in
the department's giant database was confidential and should not have
been available to every staff member in Transport Canada.

The database is also likely susceptible to determined hackers, putting
at risk between 4,000 and 5,000 items - including many secret
documents that could harm Canada's national interests if disclosed.

"Notable . . . were documents dealing with airport security matters
subsequent to the September terrorist attacks" of 2001, says the
report, citing an example.

In one sampling, investigators readily obtained 17 national security
documents marked "Secret" that could be easily viewed and printed.

The audit report, dated Nov. 19, 2002, was obtained under the Access
to Information Act.

The report examines Transport Canada's new records management system,
developed over two years and completed last fall. The department is
among the first of 33 federal institutions that will eventually use
the system to cope with the avalanche of paper civil servants produce
each year.

The government-wide project is being managed by Treasury Board.

The system was originally intended to have an encryption system that
would protect confidential material, but the additional software was
never developed for reasons that remain unclear.

Transport Canada employees nevertheless loaded the database with a
vast amount of confidential material, including secret records
detailing cabinet discussions, proposed legislation and national
security matters.

"Documents classified as secret would endanger national security,
cause serious injury to the interests or prestige of the nation, or
give substantial advantage to a foreign power," the report notes.

The auditors found that Transport Canada officials rejected a proposal
to instruct employees about the security classification of documents
because it would have taken too much time. Instead, the department
simply sent out an e-mail in late 2001 calling on them to be mindful
of security designations.

However, the auditors suggested lack of training was only part of the
problem - many confidential documents appeared to have been posted out
of carelessness.

Citing several research studies, the report says Ottawa's ``Government
On-Line" initiative could provide hackers with a window to illegally
tap into sensitive databases. "Transport Canada's vulnerability to
this type of access is likely similar," the authors wrote.

Transport Canada officials were aware of the hacker threat as they
implemented the new system but took no action, the report says.

Spokesmen for the department did not respond to requests for comment
on the findings of the audit.

However, in a written response to the report, Transport Canada
officials said they have since purged the database of confidential
materials. The department also says it is conducting a threat and risk
assessment to determine its vulnerability to hackers.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.