Govt CIO to review publicly accessible systems
- 15 October, 2012 22:00
The State Services Commission has ordered Government CIO Colin MacDonald to undertake an urgent review of all pubicly accessible systems operated by the government.
A statement sent yesterday evening from Iain Rennie, commissioner and head of State Services says MacDonald will seek assurances from all government agencies that their current security systems are up to scratch .
“In keeping with the increase in responsibility of his role, the GCIO will lead public service agencies in evaluating and strengthening their ICT security measures to ensure that there are no systematic faults that could cause additional security issues,” says Rennie.
Rennie says that following the Privacy Commission’s report on the handling of leaked ACC information earlier this year, the role of the GCIO will be widened to shore up on security of future IT roll outs in the government.
“The use of technology to further improve access to public services is essential but this needs to be delivered while ensuring personal information is protected,” says Rennie.
CIO has contacted MacDonald’s office for comment.
Minister Poorly Advised
Yesterday, Ministry of Social Development (MSD) CEO Brendan Boyle announced that his agency may not have acted on the recommendations made by IT company Dimension Data in a security report handed to the ministry in April 2011.
Paula Bennett, Minister of Social Development, confirmed in Parliament that the report from Dimension Data did cover the security flaws first reported on the Public Address blog.
MSD has retained Deloitte to investigate the security flaws with the kiosks, and then to carry out an audit of the ministry's security system and policies. The MSD expects a report within a fortnight.
During question time in Parliament yesterday, Bennett said it would not be possible to determine how many people had accessed sensitive files using one of WINZ’s public kiosks.
Daniel Ayers, founder and director of security company Elementary Solutions, says it should be possible to recover what activities were carried out on the kiosks and that Bennett has been poorly advised if she thinks otherwise.
“If each kiosk computer has its own hard disk then those hard disks can be examined to identify what user activity has occurred, even months or years into the past,” says Ayers.
“If the kiosks don’t have their own hard disk then forensic traces would be left behind on the Ministyr’s computer system when a kiosk computer attempts or succeeds in connecting.
“If the minister has been told it isn’t possible maybe it is time the ministry found better investigators and advisors.”
Ayers has worked as a senior manager at Deloitte in the late 90s and helped establish a computer forensics practice at McCallum Petterson which would later merge with Deloitte. He says he is dubious about how much the Deloitte’s investigation will cost and the time frame of two weeks given.
He says the report will be basic, and not reveal how compromised MSD and government’s systems truly are; going so far as to release a set of predictions of what the report will contain:
- The network design for the kiosk project was flawed – it did not provide for proper separation between the kiosks and the main ministry computer systems.
- The kiosk computers were included as members of the Active Directory domain when they should have been separate.
- Firewall rules should have prevented kiosk computers from communicating with Ministry internal computer systems.
- The kiosk computers were not properly locked down so as to restrict what members of the public could do.
- Access permissions on internal ministry computer systems were too permissive, meaning that unauthorised persons could access files such as invoices.
- The ministry does not adequately segregate information on its computer systems so that only those staff who require access to various categories of information have that access.
- It should not have been permitted for members of the public to attach USB storage devices (pen drives, etc) to kiosk computers.
- Monitoring of the use of kiosk computers by ministry staff was inadequate.
- The ministry’s computer network does not maintain adequate audit trail information so that investigators can ascertain – after the fact – what activities a computer user has engaged in on ministry computers.
- The ministry is over-reliant on security reviews as a means of ensuring that security risks are addressed.
- The ministry failed to properly address concerns raised in security review reports prepared by external consultants.
“It will be interesting to compare those findings to the Deloitte report, especially in the context of the fees Deloitte charge for their review,” says Ayers.
- Managing Web Security in an Increasingly Challenging Threat Landscape
- Deliver Enterprise Mobility with Security and Performance
- Robust Data Protection Solutions for Virtual Environments
- Challenges & Opportunities for Government Data Management in Australia
- Is your data centre growing too complex for your backup?
Rethinking the worst case
The brand called CIO
Motorola turns to the Moto G's price to reserve its smartphone fortunes
Virtual desktop computing service: The next cloud disruptor?
Google app translation service now available to Android developers
The Evolution and Value of Purpose-Built Backup Appliances
Customers today are still grappling with subpar backup performance as systems outstrip the allotted backup window time. Strategies for data protection and recovery continue to be dictated by aggressive SLAs, rapid recovery, and ease of integration in existing environments. As a result, firms have started to embrace more disk-based data protection technologies, including purpose-built backup appliances (PBBAs) to protect and recover data and applications. This white paper explores the measurable benefits of PBBA systems for customers, with a focus on the increased use and adoption patterns of both integrated and targeted systems.
Leadership and technology: Mobility and BYOD insights for midmarket enterprises
BYOD trends are putting pressure on IT departments to support all personal mobile devices in all work spaces, while Analysys Mason forecasts that revenue from mobility for mid-market enterprises will grow to US$79 billion by 2018. This white paper looks at the power of mobility as part of a unified communications (UC) platform; the competing interests of IT departments, and why vendors supplying these solutions are well prepared to meet the needs of mid-market enterprise technology and business challenges.
Case Study: Worldwide Collaboration by Design
HOK is a global provider of architectural planning, design and delivery solutions, that operates out of 24 offices on four continents. Being a truly global organisation, HOK needs to empower its worldwide workforce in order to effectively leverage its highly skilled people, irrespective of where they may be located. In this case study, we look at the benefits the organisation saw from introducing collaboration and conferencing technologies. Click to download!