Outdated IT Systems Leave Michigan Vulnerable to Cyberattacks, Report Says

Hundreds of state servers are open to attack due to ineffective security, poor password to control and failure to install security patches.

by Paul Egan, Detroit Free Press / December 18, 2015
Gov. Rick Snyder has identified cybersecurity as a major issue and is seeking to make the state a national leader in the field. Flickr/Detroit Regional Chamber

(TNS) — LANSING -- Hundreds of state computer servers are vulnerable to hacking and failure because of outdated operating systems, ineffective security configurations, poor password control, failure to install security patches and a lack of timely scanning to detect vulnerabilities, according to a report released Thursday by Michigan Auditor General Doug Ringler.

The servers scrutinized in the audit support "systems and data critical for the operation and oversight of state government," including state employee payroll, welfare payments and services, the tracking and management of road and bridge construction projects and payments, and information on state prisoners and offenders on parole and probation.

The report comes as Gov. Rick Snyder has identified cybersecurity as a major issue and is seeking to make Michigan a national leader in the field.

The Department of Technology, Management and Budget, which is responsible for the state's information technology, says in the report that it agrees with the report's seven findings and 10 related recommendations and is working to implement them.

The audit examined the 950 state computer servers that use UNIX operating systems. That's about 20% of the total. Most state servers use the Windows operating system.

The auditor sampled the UNIX servers and found security vulnerabilities on all of them, according to the report.

"We judgmentally selected 63 of the state's approximately 950 UNIX servers to review operating system security configurations," the report says.

"We noted potentially vulnerable security configurations on 59 (94%) of the 63 servers."

The auditor didn't examine the configurations on the other four servers in the sample because they were running versions of UNIX that were no longer supported by the vendor, which means they don't get required security updates and are vulnerable to attack.

The audit found that 41% of the versions of UNIX the state was using were no longer supported by the vendor, with five versions being unsupported for more than 10 years.

"Because these operating systems were unsupported and not using current versions, DTMB's automated tool for detecting vulnerabilities could not be installed on these servers," the report said.

DTMB spokesman Caleb Buhs said Thursday the department is "committed to taking the necessary steps to correct the concerns that were raised."

"DTMB was already in the process of addressing many of the issues that were raised and we appreciate the review ... which validates the work we’ve already begun," he said in an e-mail.

Among the audit's other findings:

*For 90% of the servers sampled, required security patches were not installed in a timely manner.

*DTMB did not establish and implement effective access controls over the state's UNIX operating systems to help prevent or detect inappropriate access to data.

*Passwords were not changed in a timely manner for 84% of the servers and one password had not been changed for about nine years.

*Vulnerability scans were not performed monthly on 47% of the servers sampled. Some servers had not been scanned in more than two years.

*DTMB spent $2.9 million on an automated tool for detecting and remediating security vulnerabilities, but had not installed the tool on all of its servers.

*Since 2009, DTMB pays a vendor about $264,000 a year to administer certain UNIX servers and renewed that contract for another year in 2014, despite the fact the contract required the vendor to train state employees to do the work and DTMB has 16 employees capable of doing the work.

©2015 the Detroit Free Press, Distributed by Tribune Content Agency, LLC.