Sunday, May 10, 2020

Repost - Ministry of Social Development - a study in security architecture and governance failure

In case you haven't heard, a high profile blogger acting on a tip off identified that pretty much complete access was available to all the internal file shares on the corporate network of New Zealand's Ministry of Social Development (MSD) via their public access kiosk computers. Other interesting facts have come to light such as that vulnerabilities were reported in a penetration test and not acted upon.
Firstly let's think about the security architectural failures here.
1. There was no network segregation between the kiosks and the greater MSD network. This may indicate a lack of understanding of the requirement for and use of a security "zone model"
2. Some of the most sensitive data available to MSD was stored on open file shares. This may indicate a lack of understanding of the "principle of least privilege"
3. Virtualisation snapshots of servers were also available on open file shares, allowing an attacker to potentially "takeaway" internal servers to crack into their contents. This may indicate a lack of security considerations around backup data.
Secondly, let's think about the security governance failures.
1. A penetration test report was commissioned from a third party (Dimension Data) but recommendations were not acted upon. This indicates that either the risks identified were not actively tracked in a risk register, or that risk was accepted without treatment due to a misunderstanding of the context of the risks. If we use some "black hat thinking" to coin DeBono, it is possible that the report was "locked in the bottom drawer" and conveniently forgotten about by a project manager or similar functionary, who would be personally impacted by a budget overrun.
2. No information classification scheme was applied. It is normal for "normal organisational data" to not be labelled, but the most important data in the organisation should be classified. For example locations and details of "at risk" children should be classified and highly restricted.
3. Security controls were not applied commensurate to the security classification of the data. It would make sense to encrypt and password protect such sensitive data as well as storing it on restricted file shares.
If you think this was bad, imagine what a "black hat" could have done with a boot CD or USB of the backtrack security testing operating system in one of those public access kiosks...obviously some people at MSD can't.


  1. It is truly a well-researched content and excellent wording. I got so engaged in this material that I couldn’t wait to read. I am impressed with your work and skill. Thanks.
    Construction Security services London

  2. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.Web Applications Development Company UK

  3. Valuable information. Thanks for publishing such great information. You are doing such a great job. This information is very helpful for everyone. Keep it up. Thanks. Security company West Midlands

  4. Thanks for publishing such excellent information. You are doing such a great job. This information is really helpful for everyone. Keep it up. Thanks once again for sharing it. Identity Theft Protection Software

  5. You have a genuine capacity to compose a substance that is useful for us. You have shared an amazing post about Security company West Midlands.Much obliged to you for your endeavors in sharing such information with us.

  6. Hi there to everyone, the contents present at this web page are actually amazing for people knowledge, well, you can also visit Security Guard Agency In Mumbai for more Veteran Security Services (VSS) related information and knowledge. Keep up the good work.

  7. Very good information, You have provided excellent information for us. It is valuable and informative for everyone. Keep posting always. I am very thankful to you. Read more info about Download paint for mac

  8. Countries must take adequate steps to meet socio-economic developmental goals. Many Socio Economic Development Programmes are running and we can hopefully build a better future. I am glad to come across this. Thank you for sharing this. Great blog.