Among the vulnerable databases were those containing user names, passwords and bank account information.“Some of the findings would have exposed the government to problems,” Strelioff said.
In his audit, Strelioff found a firewall that was inoperative for hours at a time.
A hacker could have entered the system, carried out transactions, and removed all traces of those transactions. “When the firewall’s down, that can happen,” Strelioff said.
At one point during their audit, inspectors from Strelioff’s office discovered that the firewall had been out of action for 15 hours before support staff noticed that no entries were being made to a log. As a result, third-party e-mail relays occurred, making it appear that the messages originated from the CAS server.
Strelioff suggested that system access had been too broad: “Too many people had the ability to get into the system and make changes.”
Numerous schools, private businesses, wireless connections and “undefined addresses” were allowed through the firewall.
The report did find that overall, the control environment was well-managed. For instance, the government has created a position for a dedicated “enterprise security officer.”
But while many needed controls over the Oracle database were in place, Strelioff found some deficiencies that “could jeopardize the integrity and reliability” of the database’s information.
“At the time of our audit we found that, because of both the unmonitored access gained through the Unix operating system and the absence of auditing access logs, some data tables that would generally be evaluated as properly secured were in fact at risk of undetected access,” the report said.
“That is, they could be changed or deleted without any trace of activity in the system.”
Auditors also discovered that one of the default usernames was still set to the default password. Default usernames and passwords are commonly supplied with commercial software packages for use by system administrators. Once the software is installed, the passwords are supposed to be changed before it is active.
In this case, the default password was still being used because six months earlier, a patch had restored the password to the default.
In responding to Strelioff’s findings, the finance ministry said it has either fixed or is “working on” all of the vulnerabilities. For instance, the ministry has narrowed the IP subnets allowed through the CAS firewall down to specific IP ranges, according to a written response included in Strelioff’s report.
It is also working on a process to notify support staff when the firewall is not running.

Share on LinkedIn Share with Google+