NZ Ministry knew of flaws, failed to take action: Deloitte
Mid last month, journalist/blogger Keith Ng revealed that public kiosks installed at the New Zealand Ministry of Social Development's Work and Income self-service centres would allow anyone to access its corporate network, including sensitive information such as child-protection details.
Deloitte's report (PDF) found that although the ministry's risk management processes failed to identify the issue, staff within the ministry were aware of the vulnerabilities in the kiosk system and failed to take appropriate action.
During the design of the kiosks in June 2009, the question of how to provide internet access was raised by a technical architect. Two options were suggested; one was to provide a direct connection to an ISP, while the latter was to use the ministry's corporate network. However, the technical architect wrote in their paper that if the corporate network was used, it would require network separation in order to address security concerns.
The report shows that, although it is unclear if whether this requirement was forgotten or lost, it appears to be missing from planning documents from May 2010.
Deloitte's report found that there was not enough focus on security and privacy during the build, and that in the final business case for the kiosk, no security risks were discussed, even though other kinds of project risks were.
In April 2011, Dimension Data was engaged by the ministry to perform penetration testing. Its report found several weaknesses, but highlighted the lack of network separation and the possibility of sensitive data to be stolen as the two urgent vulnerabilities that should be addressed. Dimension Data recommended holding off placing the kiosks into production until these were fixed. In response, the ministry's IT Network Services put in a request to fund the necessary routing equipment, but failed to mention any of the security issues. The request was never acknowledged by the ministry.
Deloitte's report found Dimension Data's audit to be appropriate, but criticised the ministry's response, stating that if the two urgent vulnerabilities had been remediated, the breach would not have occurred.
In October 2011, Kay Brereton, a stakeholder in the kiosk program, realised that there was a significant security problem and raised it as an issue. However, the ministry's own IT Security team was unable to replicate the issue and noted that the previous recommendations to install routing equipment were still in the budgeting phase. It then reassured the ministry that the risks were acceptable and the kiosks were secure.
Deloitte noted that while these risks were logged on the ministry's appropriate threat registers, its IT Security Team failed to escalate the issue to a point where it would be acted upon.
"The Deloitte report confirms that staff members in leadership positions were not alerted to these issues and, therefore, had no opportunities to exercise appropriate judgement," the ministry's Chief Executive Brendan Boyle said in a statement and noted that they "woefully underestimated the risk of a malicious attack."
"The report makes it clear there were risk and governance processes in place, however these were not appropriately used."
"Questions must now be asked about the adequacy of these processes and whether this was an extraordinary series of events, or whether it raises broader issues about the appropriateness and effectiveness of the ministry's wider information systems security."
To her credit, Brereton raised the issue again in December 2011, but due to a series of missed correspondences, the security issue was never dealt with. It lay dormant until October 2012, when a New Zealand resident discovered the issue himself, and attempted to contact the ministry. After the ministry declined to provide him with any compensation for his findings, he provided the information to Ng, who then verified the flaw, contacted the privacy commissioner and the ministry, and went public with his findings.
While Boyle said that the report was "damning," he considered the ministry to be lucky.
"We are extremely fortunate that the risk of harm from this is extremely low, because there were only two people who looked at a limited number of the invoices. Both men have returned all the information, and assured us and the privacy commissioner that they have not distributed it to anyone else," he said.
"Investigations have determined that there is no evidence that the Kiosk breach went beyond that of Keith Ng and his associate, Ira Bailey."
"Both men have cooperated with the Deloitte investigation and with the privacy commissioner. They have handed the information over, and promised they have not shared that information with anyone else."
Deloitte is now conducting its second phase of its review, which will look at the ministry's policies, governance, capability, and culture. It is expected to be completed later this month.
Meanwhile, Boyle has confirmed that four staff members are now involved in employment investigations, and once these are completed, he will take appropriate action.
"I can assure people that the employment investigations will be thorough, and people will be held to account for their conduct."