Member log in

Ex-Deloitte manager predicts, point by point, what Deloitte MSD inquiry will say

An ex-Deloitte senior manager has pre-empted his former employer's Ministry of Social Development security inquiry by releasing his own high-level findings.

He also claims Social Development Minister Paula Bennett is wrong to say the MSD cannot trace who has previously used WINZ kiosks to access unauthorised data, and that a (likely pricey) initial report should not take two weeks.

Yesterday, the Ministry of Social Development appointed Deloitte to conduct an independent inquiry into security problems revealed by blogger Keith Ng. CEO Brendan Boyle said the review would also look at the MSD's wider computer network, and corporate culture. 

Daniel Ayers - who set up Deloitte NZ's computer forensics unit - says his former company's assessment should be straightforward. The key problems were immediately obvious (see list below).

Tens of millions to fix
But just because the security issues were immediately obvious, that did not mean they were cheap or easy to fix.

If deep structural changes are required to the MSD's network,  Mr Ayers says the cost will run to "tens of millions of dollars."

"[That] would be the cost if they assumed the whole network was compromised and rebuilt it from scratch - the scenario that people such as [independent IT consultant] Matthew Poole advocate," he told NBR this morning.  

"[But] that is not the approach I recommend.  The flaw reported by Keith Ng implies that some structural changes to the network will be required (to segregate the network, ensure that staff can only access the servers relevant to their role, separate the kiosks from the main network etc. That would take some work but the cost would be much more modest."

Right advice, wrong price
Yesterday - after initially blaming IT contractor Dimension Data - the MSD's Mr Boyle admitted Dimension had warned about issues with the kiosks in April last year, but that its recommendations "might" have been ignored.

Many consultants have said the public WINZ kiosks (designed for the unemployed to surf job sites or send a CV) should never have been connected to the MSD's corporate network.

Mr Ayers says his advice would have been to scrap the current kiosk architecture and start again - but that the MSD might have blanched at the cost of that suggestion.


Ex Deloitte man vs Deloitte: Daniel Ayers' MSD findings 

Former Deloitte senior manager Daniel Ayers is clearly pushing his own barrow by releasing his own top-level findings on the MSD security fiasco (after stints at Deloitte, Cap Gemini Ernst & Young and EDS he now has his own consultancy, Elementary Solutions).

Still, he makes interesting points. And he adds, cheekily:

“It will be interesting to compare these findings to the Deloitte report, especially in the context of the fees Deloitte charge for their review."

The initial two-week Deloitte survey could cost $40,000 to $50,000, Mr Ayers told NBR (the MSD would not comment on the cost, now the subject of an NBR Official Information Act request).

He says he's surprised the MSD has said the first phase of the Deloitte inquiry will take two weeks.

"I can tell you what the key findings will be right now.”

His key points:

  • The network design for the kiosk project was flawed – it did not provide for proper separation between the kiosks and the main Ministry computer systems
  • The kiosk computers were included as members of the Active Directory domain when they should have been separate
  • Firewall rules should have prevented kiosk computers from communicating with Ministry internal computer systems
  • The kiosk computers were not properly locked down so as to restrict what members of the public could do
  • Access permissions on internal Ministry computer systems were too permissive, meaning that unauthorised persons could access files such as invoices
  • The Ministry does not adequately segregate information on its computer systems so that only those staff who require access to various categories of information have that access
  • It should not have been permitted for members of the public to attach USB storage devices (pen drives, etc) to kiosk computers
  • Monitoring of the use of kiosk computers by Ministry staff was inadequate
  • The Ministry’s computer network does not maintain adequate audit trail information so that investigators can ascertain – after the fact – what activities a computer user has engaged in on Ministry computers
  • The Ministry is over-reliant on security reviews as a means of ensuring that security risks are addressed
  • The Ministry failed to properly address concerns raised in security review reports prepared by external consultants.

WINZ kiosk use can be traced

On Sunday night, blogger Keith Ng revealed he had used simple Microsoft Open and network mapping commands to access large swathes of the Ministry of Social Develpment's network through a WINZ public kiosk.

The kiosks - currently offline - did not require any log-on.

On Tuesday, Social Development Minister Paula Bennett was quoted by TVNZ as saying “We have no way of tracing what people have been doing on the kiosks.” This is not correct, and indicates that the Minister has been poorly advised, computer forensic investigator Daniel Ayers claims.

“If each kiosk computer has its own hard disk then those hard disks can be examined to identify what user activity has occurred, even months or years into the past” says Ayers. “If the kiosks don’t have their own hard disks then forensic traces would be left behind on the Ministry’s computer systems when a kiosk computer attempts or succeeds in connecting. Searching for those electronic footprints on Ministry computer systems will reveal whether or not kiosks have been misused in the past.”

ckeall@nbr.co.nz

More by this author

Comments and questions
22

Another Ex Employee. Glad these people are named so the rest of us never offer them a job

At least he had the courage to put his name out there rather than criticise while remaining anonymous.

This is really an elementary problem. Just about any company with internet facing customer systems has to protect those systems from leading to access company servers or other customers data. I can't believe MSD and their contractors are so incompetent. This has been something all organisations should have been doing for over a decade.

Unfortunately having seen inside these outfits, I can believe it.

Don't you remember the Toll Road fiasco where they hadn't heard of https to protect their credit card payments? These guys are clueless with a capital C.

How can anyone send their CV out for a job if they can't attach USB storage devices (pen drives, etc) to kiosk computers?

Heard of email?

If the kiosk is their only means of connecting to the internet, how are they supposed to email themselves their CV?

Sure... but you attach the CV to the email... prepare CV at home and save to usb... go to kiosk... look for job... apply for job abd attached CV from USB...

This is a valid question. But you have to bear in mind that some organisations don't even let staff attach USB keys to computers for fear of information theft or booting unauthorised operating systems (such as BackTrack penetration testing distro!). So its very risky, and I would say unwise, to allow random members of the public to do that.

Then you would have to question whether or not the kiosks can perform their intended function if people can't attach USB media. They could still write their CV from scratch and print it.

If in doubt, throw some very well-paid consultants at the problem at the taxpayers' expense.

How much are the in-house IT team paid to get these things right in the first place ? - and who will be leaving the public payroll promptly as a result of:

1. Approving the release of a system with such fundamental errors; and
2. Ignoring a report that highlighted the problems over a year ago

Let's have proper accountability and not the usual government finger pointing and opaque "investigation".

Swords will be fallen upon - my guess is Friday so wounds can be licked over the long weekend.

no doubt the high paid consultants will suggest a very expensive solution to justify fees.

Deep structural changes nonsense. A separate VLAN and a DMZ-based Web server are all that would be needed.

The root of the problem is in the New Zealand Government's terrible IT procurement policy and its willingness to pay extortionate hourly rates since it outsourced all of its expertise.

You should stop and think about it before being so dismissive.

The fact that Keith Ng was able to see a bunch of MSD servers from the kiosk implies that there is little or no compartmentalisation in the network - i.e. segmenting off groups of staff/servers by function or location so that only those who need access to certain resources have that access. For example, only finance staff can see finance servers. Only HR staff can see HR servers, etc. This is the most basic of all security principles - you only give access to people who need it.

The benefit in doing this is that the consequences of a security compromise, rogue staff member, virus, etc is contained. The benefits of that should be obvious.

And, if you need another example, think back to the virus outbreak at Waikato DHB in December 2009. If their network had been segmented the initial outbreak would have been contained (meaning most of the organisation would have been unaffected) and the cleanup would have been easier and cheaper. Do you recall how long they were down because they kept chasing the infection around the network?

Paula Bennett would have been far wiser to consult Sir Humphrey Appleby.

Does yer average puter record every single thing that is done upon it? Wouldn't a thought so. Still, nice audit job if you can get it. Every single instruction on dozens of computers over a number of years.

Keith Ng, Ira Bailey & now Daniel Ayers will be attacked. Common tactic to attack the messenger.

So, good on Bennett (so far) for resisting this herself, although no doubt surely tempted (also by her own CE saying things later retracted).

Mighty impressive when politician, esp under intense pressure, fronts up and says 'we screwed up, thanks for letting us know, we'll fix it'.

Hope she can stay on the high ground without descending into the usual political fallback position of blaming all and sundry. Messy now, but at least a chance we can respect her playing with a straight bat.

Think Phil Heatley, who fell on his sword when politically he didn't need to. And proved he takes accountability seriously. More respect to him. Time will tell for Bennett.

Ludicrous nonsense isn't it? To create CVs all they need is standalone machines with email capability. Or just gmail/google docs.

But they'll spend millions on the solution which will be so complicated it will soon have more holes in it.

you are right Allan. What a ridiculous waste of money.

This is your typical quick and inexpensive solution that wasn't thought through properly at the time and will now cost significantly more to fix after the fact. It is unfortunately iextremely common and will continue to be so both in the private and public sector.

You dont need an expensive Consultant to tell you how to do this properly but often you need one to make the people with the purse strings listen for a change.

#12 : that is so, so true! The public service has been so busy underpaying competent staff that it cannot retain it and you need to be competent even to hire and manage external competency. Of course its a goldmine for Deloittes and their ilk. Unfortunately Key and co have no idea about the business of government so are not in a position to judge what their constant "ratcheting down" of the service entails and what it results in.

A good robust fix to this would be to utilise thin clients at all sites (convert the existing kiosk hardware, no requirement to purchase any additional hardware), build a VMware View virtual desktop infrastructure that places the VIrtual Desktops in an untrusted DMZ, isolated from the corporate network, allow web access through a filtering gateway to limit access to job hunting sites and public email sites, and configure the virtual desktops to be highly locked down, and also to automatically rebuild every night just in-case someone does compromise one.

Additionally, and as a separate workstream, Internally identify functional groups and apply security ACL's across the internal filesystems accordingly.

This solution would be well under 7 figures, let alone 8!

Astounding that this situation exists, it really is basic security 101.