Sunday, May 10, 2020

Repost - Ministry of Social Development - a study in security architecture and governance failure

In case you haven't heard, a high profile blogger acting on a tip off identified that pretty much complete access was available to all the internal file shares on the corporate network of New Zealand's Ministry of Social Development (MSD) via their public access kiosk computers. Other interesting facts have come to light such as that vulnerabilities were reported in a penetration test and not acted upon.
Firstly let's think about the security architectural failures here.
1. There was no network segregation between the kiosks and the greater MSD network. This may indicate a lack of understanding of the requirement for and use of a security "zone model"
2. Some of the most sensitive data available to MSD was stored on open file shares. This may indicate a lack of understanding of the "principle of least privilege"
3. Virtualisation snapshots of servers were also available on open file shares, allowing an attacker to potentially "takeaway" internal servers to crack into their contents. This may indicate a lack of security considerations around backup data.
Secondly, let's think about the security governance failures.
1. A penetration test report was commissioned from a third party (Dimension Data) but recommendations were not acted upon. This indicates that either the risks identified were not actively tracked in a risk register, or that risk was accepted without treatment due to a misunderstanding of the context of the risks. If we use some "black hat thinking" to coin DeBono, it is possible that the report was "locked in the bottom drawer" and conveniently forgotten about by a project manager or similar functionary, who would be personally impacted by a budget overrun.
2. No information classification scheme was applied. It is normal for "normal organisational data" to not be labelled, but the most important data in the organisation should be classified. For example locations and details of "at risk" children should be classified and highly restricted.
3. Security controls were not applied commensurate to the security classification of the data. It would make sense to encrypt and password protect such sensitive data as well as storing it on restricted file shares.
If you think this was bad, imagine what a "black hat" could have done with a boot CD or USB of the backtrack security testing operating system in one of those public access kiosks...obviously some people at MSD can't.

15 comments:

  1. It is truly a well-researched content and excellent wording. I got so engaged in this material that I couldn’t wait to read. I am impressed with your work and skill. Thanks.
    Construction Security services London

    ReplyDelete
  2. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.Web Applications Development Company UK

    ReplyDelete
  3. Valuable information. Thanks for publishing such great information. You are doing such a great job. This information is very helpful for everyone. Keep it up. Thanks. Security company West Midlands

    ReplyDelete
  4. Thanks for publishing such excellent information. You are doing such a great job. This information is really helpful for everyone. Keep it up. Thanks once again for sharing it. Identity Theft Protection Software

    ReplyDelete
  5. You have a genuine capacity to compose a substance that is useful for us. You have shared an amazing post about Security company West Midlands.Much obliged to you for your endeavors in sharing such information with us.

    ReplyDelete
  6. Very good information, You have provided excellent information for us. It is valuable and informative for everyone. Keep posting always. I am very thankful to you. Read more info about Download paint for mac

    ReplyDelete
  7. Countries must take adequate steps to meet socio-economic developmental goals. Many Socio Economic Development Programmes are running and we can hopefully build a better future. I am glad to come across this. Thank you for sharing this. Great blog.

    ReplyDelete
  8. After a long time, I read a very beautiful and very important article that I enjoyed reading. I have found that this article has many important points, I sincerely thank the admin of this website for sharing it. Best Construction Security Services Adelaide service provider.

    ReplyDelete
  9. Really appreciate this wonderful as we have seen here. This is a great source to enhance knowledge for us. Thankful to you for sharing an article like this.soc security company USA

    ReplyDelete
  10. I'm generously appreciative to you that you have imparted significant and fundamental data to us. I got some unique sort of information from your page, and it is particularly significant for everybody. lexington alarm systems

    ReplyDelete
  11. I agree with a lot of the points you made in this article. If you are looking for the Detective In Mumbai, then visit Veteran Investigation Services (VIS). I appreciate the work you have put into this and hope you continue writing on this subject.

    ReplyDelete
  12. You are providing good knowledge. It is really helpful and factual information for us and everyone to increase knowledge.about professional cctv training hounslow. Continue sharing your data. Thank you.

    ReplyDelete
  13. You've provided some very useful information. I'm glad I came into this article because it provides a lot of important information. Thank you for sharing this storey with us. Private Security Bakersfield CA

    ReplyDelete
  14. It is what I was searching for is really informative. Security Training Solutions Courses UK It is a significant and useful article for us. Thankful to you for sharing an article like this.

    ReplyDelete