Ex-Deloitte manager predicts, point by point, what Deloitte MSD inquiry will say
An ex-Deloitte senior manager has pre-empted his former employer's Ministry of Social Development security inquiry by releasing his own high-level findings.
He also claims Social Development Minister Paula Bennett is wrong to say the MSD cannot trace who has previously used WINZ kiosks to access unauthorised data, and that a (likely pricey) initial report should not take two weeks.
Yesterday, the Ministry of Social Development appointed Deloitte to conduct an independent inquiry into security problems revealed by blogger Keith Ng. CEO Brendan Boyle said the review would also look at the MSD's wider computer network, and corporate culture.
Daniel Ayers - who set up Deloitte NZ's computer forensics unit - says his former company's assessment should be straightforward. The key problems were immediately obvious (see list below).
Tens of millions to fix
But just because the security issues were immediately obvious, that did not mean they were cheap or easy to fix.
If deep structural changes are required to the MSD's network, Mr Ayers says the cost will run to "tens of millions of dollars."
"[That] would be the cost if they assumed the whole network was compromised and rebuilt it from scratch - the scenario that people such as [independent IT consultant] Matthew Poole advocate," he told NBR this morning.
"[But] that is not the approach I recommend. The flaw reported by Keith Ng implies that some structural changes to the network will be required (to segregate the network, ensure that staff can only access the servers relevant to their role, separate the kiosks from the main network etc. That would take some work but the cost would be much more modest."
Right advice, wrong price
Yesterday - after initially blaming IT contractor Dimension Data - the MSD's Mr Boyle admitted Dimension had warned about issues with the kiosks in April last year, but that its recommendations "might" have been ignored.
Many consultants have said the public WINZ kiosks (designed for the unemployed to surf job sites or send a CV) should never have been connected to the MSD's corporate network.
Mr Ayers says his advice would have been to scrap the current kiosk architecture and start again - but that the MSD might have blanched at the cost of that suggestion.
Ex Deloitte man vs Deloitte: Daniel Ayers' MSD findings
Former Deloitte senior manager Daniel Ayers is clearly pushing his own barrow by releasing his own top-level findings on the MSD security fiasco (after stints at Deloitte, Cap Gemini Ernst & Young and EDS he now has his own consultancy, Elementary Solutions).
Still, he makes interesting points. And he adds, cheekily:
“It will be interesting to compare these findings to the Deloitte report, especially in the context of the fees Deloitte charge for their review."
He says he's surprised the MSD has said the first phase of the Deloitte inquiry will take two weeks.
"I can tell you what the key findings will be right now.”
His key points:
- The network design for the kiosk project was flawed – it did not provide for proper separation between the kiosks and the main Ministry computer systems
- The kiosk computers were included as members of the Active Directory domain when they should have been separate
- Firewall rules should have prevented kiosk computers from communicating with Ministry internal computer systems
- The kiosk computers were not properly locked down so as to restrict what members of the public could do
- Access permissions on internal Ministry computer systems were too permissive, meaning that unauthorised persons could access files such as invoices
- The Ministry does not adequately segregate information on its computer systems so that only those staff who require access to various categories of information have that access
- It should not have been permitted for members of the public to attach USB storage devices (pen drives, etc) to kiosk computers
- Monitoring of the use of kiosk computers by Ministry staff was inadequate
- The Ministry’s computer network does not maintain adequate audit trail information so that investigators can ascertain – after the fact – what activities a computer user has engaged in on Ministry computers
- The Ministry is over-reliant on security reviews as a means of ensuring that security risks are addressed
- The Ministry failed to properly address concerns raised in security review reports prepared by external consultants.
WINZ kiosk use can be traced
On Sunday night, blogger Keith Ng revealed he had used simple Microsoft Open and network mapping commands to access large swathes of the Ministry of Social Develpment's network through a WINZ public kiosk.
The kiosks - currently offline - did not require any log-on.
On Tuesday, Social Development Minister Paula Bennett was quoted by TVNZ as saying “We have no way of tracing what people have been doing on the kiosks.” This is not correct, and indicates that the Minister has been poorly advised, computer forensic investigator Daniel Ayers claims.
“If each kiosk computer has its own hard disk then those hard disks can be examined to identify what user activity has occurred, even months or years into the past” says Ayers. “If the kiosks don’t have their own hard disks then forensic traces would be left behind on the Ministry’s computer systems when a kiosk computer attempts or succeeds in connecting. Searching for those electronic footprints on Ministry computer systems will reveal whether or not kiosks have been misused in the past.”