State computers at risk of cyber attack
WikiLeaks and Mesa County aren’t the only ones releasing sensitive information these days.
A state audit issued Monday shows the governor’s Office of Cyber Security isn’t properly overseeing the security of the state’s computers, doesn’t train state workers adequately on how to guard against outside attacks, and hasn’t gone after the state departments that failed to implement security plans as required by law.
“The Office of Cyber Security lacks a strategic plan for directing its operations, lacks any meaningful measures for assessing its performance, and does not have procedures to collect and analyze meaningful cyber security information,” State Auditor Sally Symanski said in her agency’s review of the office.
“A lack of effective leadership within the Office of Cyber Security and a lack of oversight by the governor’s Office of Information Technology led to many of the problems identified in our audit.”
Symanski’s auditors preformed a covert inspection of the state’s computers that allowed them to hack into the computers with relative ease. Her audit found:
Exposed fire walls that allow anyone to access sensitive information through the Internet.
Overly simple or easily guessable user names and passwords.
Unnecessary and unsecured Internet addresses that, in some cases, provide unneeded or outdated information.
Unsecured Internet applications that allow anyone to access sensitive information, including those of individual citizens.
Open internal networks that are not supposed to allow outside users.
The audit said the state has about 17,600 active Internet addresses, some of which are old and unneeded and a few the office didn’t even know existed.
“We identified hundreds of vulnerabilities in state Web applications, including many severe vulnerabilities that led directly to the systems’ compromise,” the audit said.
“In several situations, we were able to take control of the database the application was using to disclose user names and passwords and citizen data.”
Neither Leah Lewis, acting state chief information officer, nor Evan Dryer, the governor’s press secretary, responded to numerous attempts Monday for comment about the audit.
In its official response to the audit, however, the office did agree to eight recommendations to correct the problems, but said it couldn’t do so until July. It said a ninth recommendation, to create a more secure internal network among state agencies, couldn’t be done before 2013.
The office has 17 full-time workers and operates on a budget of about $2.5 million.
Ironically, Gov. Bill Ritter issued a proclamation two months ago naming October “Cyber Security Awareness Month,” offering suggestions computer users should do to protect themselves.
That advice including having the latest security software and using stronger passwords to protect information, two things the audit said the office was not doing adequately.