By Travis Perry │ Kansas Watchdog
TOPEKA — Computer hackers could have a field day with sensitive data stored on government computers in the state, and it could go undetected.
State auditors Thursday morning eviscerated nine Kansas government agencies for inadequate information-technology security controls guarding confidential data maintained on the state’s computers.
The audit is dotted with details of weak passwords, insufficient staff training, sloppy inventory records and inadequate disaster planning.
Dan Bryan, principal information technology auditor for the state’s Legislative Division of Post Audit, said the issues were a significant breach in state data security.
“State agencies, to conduct their work and perform their services to the state, they need to collect volumes of information, and much of what they collect is confidential,” Bryan said. “That’s the type of data that needs to be protected.”
“Most agencies did not have adequate IT security controls to protect that confidential information,” he said.
State agencies scrutinized by the audit included:
- Department of Commerce
- Department of Corrections
- Department of Education
- Department of Labor
- Department of Revenue
- Juvenile Justice Authority
- State Board of Indigents’ Defense Services
- State Treasurer’s Office
- Department of Wildlife, Parks and Tourism.
Bryan said the departments were chosen for audit based on an annual rotation.
Legislative Post Audit Committee members did not discuss any specific problems during the public meeting. Instead, they opted to go into executive session for one reason — security.
Bryan outlined a series of security risks uncovered by state auditors, with insecure staff passwords among the most egregious. He said it was an issue for more than half of audited agencies. For three agencies in particular, auditors were able to crack more than 60 percent of staff passwords.
“Hackers know, and they build their tools to attack passwords in a way that people construct them — a word with special numbers or characters on the end … we broke all of our passwords using software that is open and free on the Internet,” Bryan said.
In a rare assignment of blame, Bryan made the JJA the poster child for shoddy inventory management. He said the agency not only failed to maintain an inventory of all their IT hardware, but that during the course of the audit about 200 computers were found to have been left sitting in the former Atchison Juvenile Correctional Facility, which has been closed for more than three years.
“That doesn’t provide us any assurance in our auditing,” Bryan said.
The report also blasted agencies for not keeping pace with the most recent, high-priority software updates for various computer hardware, resulting in further security gaps. Only two of the nine agencies audited met expectations, while others posted as many as 53 vulnerabilities per server or workstation.
The audit also painted a frightening picture of Kansas government should a disaster befall the state. The Continuity of Operations Plan, Bryan said, is an outline of how each state agency will continue to operate during an emergency. No agency surveyed had a fully developed or tested plan.
“It’s very unlikely they would get up and running in a timely fashion ” after an emergency, Bryan said.
Rep. John Grange, R-District 75, asked if auditors uncovered any actual security breachess. Bryan said while they didn’t discover anything, auditors also weren’t specifically looking for it, and that it “would be a very hard thing for us to find.”
— Edited by Kelly Carson, [email protected]