KDHE computers at 'high risk'

[InfoSec News <isn () c4i org>]

http://www.ljworld.com/section/stateregional/story/149509

By Scott Rothschild
Journal-World 
October 23, 2003 

Topeka - The state agency in charge of protecting the public's health
and safety is having trouble protecting its own computers and
information system, according to an audit released Wednesday.

Operations of the Kansas Department of Health and Environment "were at
an extremely high risk of fraud, misuse or disruption," auditors with
the Legislative Division of Post Audit concluded. "Computer data --
much of it confidential -- was at an equally high risk of loss or
inappropriate disclosure."

KDHE is a large regulatory agency that collects records and
information about Kansans on everything from child-care licensing to
vital statistics. The agency is the leader for dealing with hazardous
wastes, epidemics, immunizations and, most recently, the state's
bioterrorism program. It is the official custodian of Kansas birth
certificates.

The problems with security of information at KDHE were so severe that
auditors met Aug. 14 with KDHE Secretary Rod Bremby to go over their
initial findings. That was an unusual measure because auditors
normally disclose the audit findings to agencies when their reports
are in final draft.

Auditors found that KDHE's computers easily could be breached by
hackers, its computer anti-virus system was "badly flawed" and its
security systems were generally inadequate or missing.

Using a standard password-cracking software, auditors were able to
determine more than 1,000 employee passwords, which is about 60
percent of the total, in three minutes. Ninety percent of the
passwords were cracked within 11 hours.

Given the simple pattern to KDHE computer passwords, current or former
employees would have been able to log onto any computer.

"This weakness put the entire network and all agency data at severe
risk," auditors reported.

During one lunch hour, auditors easily walked into empty offices where
computers were logged on to the network and unlocked.

The audit also revealed that many agency computers were infected with
computer viruses that could send files and passwords to computer
addresses outside the agency, and some 200 computers had no anti-virus
software installed.

In case of a disaster, the audit said, KDHE had developed a plan in
1999 for Y2K to continue operations but hadn't updated that
contingency plan since then. That plan leftover from Y2K "would be
nearly useless in an ordinary disaster," the audit said.

After meeting with auditors, KDHE officials "acted strongly and
swiftly to address these problems," according to the audit report.

KDHE hired a new security officer, increased controls on computers,
beefed up training of employees and hired a consultant to help with
security. But the auditors said that KDHE still had a long way to go.

Even so, just days after the Aug. 14 meeting, the Sobig computer virus
that spread worldwide infected the KDHE computers, forcing the agency
to temporarily shut down the external e-mail systems.

Bremby said that he agreed with the audit's findings and
recommendations and that he hoped to have an action plan to give to
the Legislative Division of Post Audit by January.

"Each employee will be informed that they are personally a part of the
KDHE security team, that they are responsible and do make a
difference," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.