Kansas auditors crack 1,000 passwords
- By Wilson P. Dizard III
- Nov 07, 2003
The Kansas Health and Environment Department has serious IT security and disaster recovery problems, the state's legislative auditor has found. The auditors said they used password-cracking software to decipher more than 1,000 of the department's passwords'including several administrative passwords'or 60 percent of the total, in three minutes.
The department began fixing the security weaknesses and other problems found in its systems as soon as it learned of them, department secretary Roderick L. Bremby said in response to the report.
'The department's antivirus system was badly flawed, allowing computers to become infected with a large number of different viruses, worms and Trojan horses,' said the report
, Kansas Department of Health and Environment Information Systems: Reviewing the Department's Management of Those Systems.
'The department's firewall was poorly configured, creating several large holes in and out,' the report said. Auditors found that the department lacked or failed to enforce many basic security policies, such as procedures for incident response, physical security, configuration documentation and former-user account deletion. They also found several major problems with security planning.
The auditors concluded that the department lacked the tools necessary to recover from a disaster and said the plan, left over from the year 2000 rollover, 'would be nearly useless in a disaster.'
In response to the auditors' recommendations, the department hired FishNet Security Inc. of Kansas City, Mo., for a complete vulnerability assessment.
In response to the auditors' recommendations to overhaul systems security and other IT problems, Bremby wrote, 'All recommendations will be ranked and prioritized by risk, and deadlines will be established to complete all recommendations as quickly as possible.' He encouraged the auditors to conduct a second review within a year.