Before I got into “Enterprise” and Government computer work, I would daydream about corporate computer systems. I imagined them being similar to what we see in the movies: awesome firewalls, and control rooms full of blinking lights, run by conscientious, dedicated sysadmins.
After years working on and in these systems, I know the truth. The truth is, your average large-scale computer system is clunky, probably held together by text files and FTP transfers, and nothing much more than one giant short-cut. This is evidenced by Keith Ng’s recent discovery at the Ministry of Social Development.
IT projects that start out with the best of intentions get ramrodded into a column of compressed bullshit in so many ways it’s depressing. It starts with the original tender process whereby competing companies under-bid each other in an almost complete knowledge vacuum to win the right to build a system that’s already under tight marketing (or legal, or financial) deadlines.
In the response documents for these tenders, you’ll find the “security” section is almost always a copy-paste from the sales documentation for the product being used. Find a whitepaper about Microsoft SharePoint Security and copy-paste the relevant sections. Do the same for Oracle, SAP or IBM. You’re not paid to produce the tender response, so why spend more time than necessary on it right?
Then when the inevitable hurdles are encountered, every person presenting “proper” fixes is bashed into submission. “Ok then, give us two proposals, the ‘proper’ one, and a ‘shortcut’ with risks outlined”. Guess which one gets selected “because we have to meet deadlines”? Guess how many of the risks are addressed properly?
So yes, the MSD debacle is depressing. Not surprising, not alarming. Depressing. Someone, somewhere, knew what was going on. They knew that the kiosks were running with admin privileges, or that the unprivileged accounts on the network had too much access. They probably suggested putting a firewall between the kiosks and the network, but were told “hell no, we can’t afford a firewalled network port in every single MSD office”.
Or perhaps a junior staffer was sent out to set up the kiosks, and couldn’t get them working right, so she logged in with an admin password to make everything work. Maybe she called her manager and said “hey I’ve done it this way, I know it’s wrong, but I’m not sure how to fix it, can we book someone more senior to sort it out?”
Or perhaps someone requested that the Kiosk login account be added to the security group that permits internet access, and no one thought to check if that group also had access to thousands of files.
Perhaps even somewhere there’s an entry on a “risk analysis” spreadsheet that says “Kiosks have too little security and may allow unauthorised access (Risk likelihood: moderate, Risk impact: high)”, and this has been glanced over by an assistant to a CxO and signed off as OK. I doubt it.
I doubt we’ll ever hear exactly what went wrong. Rest assured however that holes like this exist in every single government department and corporate IT system in New Zealand.
Until we start from a culture of security and professionalism, nothing will change.