If you live in NZ, or follow the IT Security press, you are probably aware of a security flaw recently discovered on public kiosks at the MSD (Ministry for Social Development). The story has really gained traction, spreading quickly across Twitter and the International press.
In short, it was possible to open sensitive files across the organisation using the Open File dialog in an application, on public kiosks, in Work and Income NZ offices. This sort of problem is as old as network file shares, and trivial to do. For more information I highly recommend reading the original Blog post and the follow-up posts by Keith Ng.
Not all of the facts are available, but it seems there are three good lessons we can all take away from this breach:
1) Security is everyone’s responsibility
The people tasked with developing and deploying the kiosks really could have done a better job, and this has been hashed out on Twitter and in blogs posts. What is less obvious is this problem required multiple failures, at different levels, across the organization.
Staff at the front-line should be aware of what is going on in their offices, and report a member of the public plugging a USB drive into any computer. The IT network team allowed publicly accessible kiosks to have unrestricted access to the core internal network. The IT Ops team didn’t manage file-share and user permissions appropriately, allowing broad access to sensitive files. IT Management were told of security problems by external contractors over a year ago, and failed to resolve them. Ultimately, the CIO and his management team are responsible to ensure their staff have the expertise and resources required to do their jobs, which includes keeping sensitive information secure and confidential.
As you can see, it took multiple failures, across the organization for this problem to occur. Not every security threat is so simple, often a single failure can be enough for a security breach. Everyone in an organization needs to be aware of security, and responsible, as appropriate to their role. This may require training, and a good dose of common sense.
2) Security takes effort
In many organisations it can be easy to skip doing things the ‘right’ way, opting instead for the ‘right now’ way. If resources are stretched, and you can only do some tasks, it is often easiest to skip the ones that don’t affect you right now. In this case security issues with the Kiosks were raised by an external contractor (good!) but MSD chose to ignore the findings. Being proactive and fixing problems, both security and non-security, requires effort but can also prevent embarrassing and potentially serious disasters. Just think for a minute what a similar breach could do to your organisation.
3) Communication is important
Security is largely about managing risk, balancing the cost to fix an issue against the risk (likelihood x impact). It may not make sense to fix a single problem if the cost to do so is high, while the associated impact and likelihood are both low. Every organisation is different, situations change, and risk will vary. Establishing and prioritizing cost/risk usually requires input from multiple people, and then needs to be clearly communicated so you can get resources to resolve the issue.
The Assistant Privacy Commissioner, CIO of MSD, and the Minister for Social Development responded quickly after the issue was made public. They communicated the risk, who/what was affected, and the next steps, all based on information available. To co-ordinate this information would have required a significant amount of communication, is a positive example.
Conclusion
The good news is this flaw was discovered by a sysadmin and a journalist, and there have been no indications of criminal hacking. It looks like positive steps are being taken to address security not just at MSD, but across all Government departments.
Looking at and learning from public incidents like this is a really good tool, and as more facts come to light I am sure there will be more things to learn. Hopefully at least some information from the upcoming audits will be made public.
Update:
The Ministry of Social Development has released the first Deloitte reports (of two) into the incident. An additional review is also being done by the Office of the GCIO.
This first Deloitte report makes for interesting reading, but skims over some of what I believe are the core problems (this is partly through scope) and raises further questions. I really do suggest reading it, and would be interested to hear your thoughts below.