KPMG was also able to gain unauthorised access into the premises of all these organisations, across both public and private sectors.
This may sound like a horror story, but this precisely is what Philip Whitmore, partner, security advisory services at KPMG, reported to the delegates at the CPA Congress last week in Auckland.
Whitmore, who spoke on ‘a real world perspective on the effectiveness of IT security’, revealed more sobering results of the tests across these organisations:
- In about a third (32 per cent), KPMG was able to go past the internet parameter.
- Just less than a quarter (24 per cent) of the wireless networks had vulnerabilities that allowed unauthorised access.
- Sixty two per cent of the time, KPMG was able to access sensitive information stored on laptops and mobile devices.
Security risks should be treated as a regular boardroom issue, on a par with financial reporting, regulatory issues and strategic direction
These are damning numbers and most organisations are not getting better at security, he states.
He pointed out security is probably becoming more and more top of mind for organisations over the last two years.
Security incidents have also been in the news, affecting organisations in the US, UK and Australia, and locally.
He said there is no obligation for New Zealand organisations to report a security or privacy breach, unlike in the United States and increasingly in other countries as well.
That is the reason why there are fewer reports involving local organisations. But the Privacy Act is being reviewed and the Privacy Commission is keen on changing that.
Basing his reports on the results of KPMG penetration tests on 200 of its clients, he listed the top 10 security issues for NZ organisations.
1. Poor quality passwords
Poor quality passwords are very common, and continue to be the number one issue.
Whitmore said 89 per cent of the organisations had administrative passwords that could be manually guessed without detection. Many of the companies did not use two-factor authentication.
2. Common initial passwords
In 78 per cent of the organisations, common passwords were used when new user accounts were created or when passwords are reset.
“Welcome" and "Monday” are the most common, said Whitmore. Moreover, 87 per cent of the organisations that used common initial passwords still had accounts which used the passwords during the tests.
3. Access to file shares not sufficiently controlled
Whitemore noted that 92 per cent of the organisations provided all users access to file shares which contained sensitive information. These include payroll information.
Sufficient consideration is usually not given to which users should have access to which directories on the various servers. This information could be a year old but is still sensitive, he said. There is a need to classify information as public, corporate and sensitive, he said. For instance, somebody could just put the customer database in a USB stick and walk out. “The value of that information is a lot.”
4. Document administrative passwords are stored insecurely – and can easily be found
Eighty three per cent of the time, the documented administrative passwords were not stored securely. The KPMG team found passwords written on the whiteboard of the IT area, in the drawer of the IT manager. They also found administrative passwords on documents in which everyone had access to.
5. Weak physical controls over their premises and IT systems
The testers were able to gain unauthorised access in all of the organisations, and 89 per cent of the time they gained access into sensitive areas “through relatively simple means”.
Whitmore said of the doors that had punch code locks, the typical time they could get through this was 60 seconds. “In fact, the average time to get through any locked door is 60 seconds,” he said.
The doors of one building were locked by 5.30 pm, and can be opened only by a sensor from inside. But at around 6 pm, they put a paper in between the sliding door and waved it to trigger the sensor and open it.
Based on our experience, the typical time to get through this type of lock is 60 seconds.
6. Insecure Web based applications
Most web based applications are not as secure as they appear to be, he said. “System developers struggle with security.”
The team found 61 per cent of the Web apps did not appropriately validate user input and 42 per cent of the apps did not properly check a user’s authority to undertake an action.
7. Caching of passwords
The default behaviour of Windows is to store copies of the network password on the desktop or laptop when users log on. Whitmore said all organisations tested still cached their network passwords on these devices.
8. Password reset procedures typically do not confirm who is making the request for a password to be reset
Whitmore said in 86 per cent of the cases, passwords were set upon first request. In 14 per cent of the case, they were challenged, like being asked by the person on the other line to call them from the work desk. People, he said, want to be helpful, and when you “pressure them a little bit, they will do what you ask them”.
9.Insufficient security awareness
One hundred per cent of the organisations struggled to instil sufficient security awareness, he said. Insufficient security awareness among staff will often undermine the efforts made to stop security, he said, as he noted people putting passwords on Post It notes. “Strong technology controls are in place, but people undermine it.”
10. Patches are not applied on a timely basis
This leaves systems exposed to the vulnerabilities the patches were intended to address, he stated.
He noted one does not need to be an IT professional in order to do these activities. “I can do it, you don’t need to be an IT person,” said Whitmore, whose background is in accounting and law.
“The threat is real, we are a target in New Zealand just because we are here, we have money, we have IP and valuable assets,” he said.
A security breach can “kill a company in nanoseconds”.
He said security risks should be treated as a regular boardroom issue, “on a par with financial reporting, regulatory issues and strategic direction.”
This way, “it gets the attention they need.”
He said it is important that there are clear roles and responsibilities for security.
Understand your risks, test your security systems, so that you are in a position to manage them.
Most medium or large sized organisations will have two key roles – a chief information security officer who is responsible for information and protecting it, and an IT security manager, who is a senior person in the IT team. In smaller organisations, this may be a shared role.
He also recommended establishing a security risk management process at an organisation level and during the development or purchase of any new systems.
“Understand your risks, test your security systems, so that you are in a position to manage them,” he concluded.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.