Auditor flags security flaws in N.S. gov't computers
Nova Scotia Auditor General Jacques Lapointe fields questions at a news conference in Halifax on Wednesday, Nov. 17, 2010. (Andrew Vaughan / THE CANADIAN PRESS)
The Canadian Press
Published Thursday, November 18, 2010 6:46AM EST
HALIFAX - Security weaknesses in computer systems operated by Service Nova Scotia and Municipal Relations place a wide range of personal and business information at risk, the auditor general concluded in a report released Wednesday.
Jacques Lapointe said he found problems in the way passwords are controlled, computer accounts are set up and security changes are made, which means there's a risk information in three of four registries can be used inappropriately by department staff and contract employees.
The problems primarily affect the land, business and joint stock registries.
"Security configuration settings for the IT systems that support the registries are not sufficient to prevent unauthorized access," the report states. "Improperly configured systems limit (the department's) ability to ensure information it retains is secure."
Lapointe said that in addition to the internal risk, the potential exists for external hackers to get into the system through collusion, bribery and blackmail, which could lead to identity theft, the loss of land ownership or the disruption of business operations.
He noted that his audit did not find any examples of the system being breached, although there have been two alleged cases of fraud by government employees in recent years.
"But we did find a very high risk of problems occurring because of the weaknesses being in place," said Lapointe.
The audit examined password and user account settings and found that they do not prevent employees from using weak passwords. The report says a password-cracking tool was used to get the password of four user accounts within a 20-hour period.
Lapointe said these kinds of problems can be fixed through reconfiguring existing computer systems and by implementing new policies and procedures.
"A lot of it doesn't involve anything fancy in terms of IT work," he said. "What we're asking them to do doesn't require a lot of money or a lot of resources."
Lapointe's report also criticizes the Community Services Department for failing to properly assess whether the needs of people with disabilities are being met in some of its community-based services, which includes family support, independent living and small homes where three or fewer people with disabilities receive care.
And he found that procedures to investigate complaints about the homes are inadequate.
Lapointe said the problems he found could result in people with disabilities failing to receive the care they need.
He said as with the computer problem, relatively simple solutions can be found through better direction and through following procedure.
"It's matter of just doing things more rigorously ... rather than spending a lot of money or bringing in more people."