[ISN] Residents' data at risk on state's computers

Fri Dec 9 01:38:31 EST 2005

http://www.duluthsuperior.com/mld/duluthsuperior/news/local/13356945.htm

BY PATRICK SWEENEY AND LESLIE BROOKS SUZUKAMO
ST. PAUL PIONEER PRESS
Dec. 08, 2005

ST. PAUL - Minnesotans' personal information stored on the state's
large mainframe computers - including tax return information and bank
account numbers - is at risk of being stolen, the Legislative Auditor
said Wednesday.

An audit conducted in October exposed a variety of vulnerabilities in
the mainframe computers, including a lack of basic security features
such as eliminating passwords for former employees.

The investigation was the latest of three security audits since 2000
that found that, despite some recent improvements, personal
information held by the state is "still vulnerable to loss, tampering
and unauthorized disclosure."

The audit found no evidence that computer hackers or state employees
have stolen any of that data. But the auditors did not look for that
kind of evidence, and one of the chief investigators for the auditing
team said a dis- gruntled employee could download information from the
system into a portable storage device without detection.

As part of the audit, the investigators performed such a download to
prove that it could be done, said Chris Buse, information technology
audit manager. No personal information was compromised in the test, he
said.

Legislative Auditor Jim Nobles told a House-Senate commission that his
staff found many shortcomings in the state's security practices for
mainframe computers in the state's main data center that store
driver's license information, process tax returns and maintain
eligibility data on Minnesotans who receive welfare payments or
state-subsidized health care.

Most of the audit focused on the potential for a few thousand state
employees or subcontractors with access to the computer systems to
misuse their passwords and, from their offices or homes, penetrate
databases beyond their job responsibilities.

The audit also found a few ways outside hackers could enter the
systems. "There are avenues of access that people can find, and they
don't have to be inside the system," Nobles said.

The problems within the state system are not uncommon for companies
with large computer systems, but their wide scope troubled one
corporate security expert.

"If I was a person sitting in my chair at home, I'd be pretty
alarmed," said Rick Greenwood, the chief technology officer at
Roseville-based Shavlik Technologies, a company that sells software
that helps large companies patch and protect their networks from
computer viruses and worms.

The state of the art for computer security is constantly changing, but
some of the problems uncovered -- such as leaving passwords unchanged
after an employee stops working for the state -- were particularly
troubling, Greenwood said.

The problems with managing passwords were fixed as soon as they were
pointed out, said Steve Stedman, the state's chief technology officer.

However, the state still has no automated way of turning off passwords
after a worker leaves, so there's a lag, he said.

Gopal Khanna, who was hired as Minnesota's chief information officer
last summer, said he assumes hackers routinely try to break into the
state's computers. But he said he knew of no instances in which
computer surveillance systems detected successful intrusions.

Minnesota's Web-based vehicle license tab renewal system was shut down
in April after another legislative audit found security shortcomings.

"While we may disagree with the magnitude of actual risk involved with
some of the audit findings and recommendations at a detail level, we
accept that the major thrust of the Office of Legislative Auditor
report is, on the whole, an accurate assessment," Khanna said.

Khanna said that he is moving toward hiring a high-level chief
information security officer to oversee access to all the state's
computer systems, and that he is preparing an action plan on
information security that he will present to state officials by the
end of January.

Khanna emphasized that his office takes the security questions
seriously and is studying ways to safeguard not just the mainframe
computers but the state's sprawling network of servers.

Both Nobles and Buse warned legislators Wednesday that they will have
to be prepared to pay more, particularly in salaries for information
security experts, to safeguard computerized data.

Problems cited in the most recent audit report include:

* Too many state employees have security clearances that give them
  wide access across multiple state computer systems.

* Too many employees have key cards that allow them physical access to
  mainframe computers.

* Some computer accounts allow users access to data without passwords,
  and software programs that require passwords to be changed regularly
  are sometimes bypassed.

* State employees working from home receive unencrypted data, making
  it easier for hackers to steal. Computer users, in at least one
  case, did not change the default password supplied with a software
  product, making the software easily accessible to hackers.

Buse said it is not possible for state officials to shut down most of
the computer systems at risk, as they had with the online license tab
renewal system.

"The guts of government run on these machines," he said.

-=-