By Jeremy Loome
October 2, 2007
Security holes at Albertas government offices and educational
institutions contributed to computer network breaches at Alberta Health
and Grant MacEwan College, according to the Auditor General.
They were the most serious among dozens of security protocol issues at
just about every level of government and the education community. In
many, the breaches were as simple as not having proper password policies
But in the cases of MacEwan College and the health department, the
breaches potentially exposed their networks; the former left unfettered
internet access to private financial documents, while the latter logged
unknown, unauthorized connections during occasional security checks.
Its impossible to tell in either case whether important personal
information was stolen. But even if there wasnt direct theft, the
breaches could have opened up both systems to the litany of tools
hackers have to get more information, and more network access.
If the breach was from a wireless network hub, for example, it could be
used to set up a ghost site that looks like it belongs to the department
but is simply there to skim information. People connecting to the
wireless hub would then actually be connecting to the hackers machine.
What we were referring to in (the health departments) cases were the
existence of unauthorized devices on the network at some point, and
given that it was after the fact, you cant tell what the devices were,
said Viveck Dharap, the executive director of information systems audit
for the AGs office.
The issue then becomes is it (a hub) that was broadcasting, which you
could then use to capture information and breach the network.
MacEwans problem may have been even more dangerous: a software glitch
led to internal financial journals containing personal information and
credit card numbers to be accessed externally through the colleges
The problem only occurred for a couple of months in 2005-2006 and was
corrected once identified by auditor general investigators, said college
spokesman Gord Turtle.
It was looked into and there was no evidence that the personal
information was used, and we never got any complaints, he said. But Im
not trying to minimize the concerns.
The problem briefly reoccurred last year when the site was available
from within the college but to staff who shouldnt have had access. That
was a common problem at several institutions, such as the University of
Calgary and the Alberta Cancer Board, where former staff could still
access their networks using their old, passwords.
At Alberta Health, the department actually found the unauthorized access
records during occasional checks. It has agreed to fully automate the
system so it will know much more quickly if a breach occurs, said
spokesperson Shannon Haggerty.
Dharap said public bodies still dont quite understand how important
information technology security is.
It is a recurring theme throughout the report in that most of those we
audited had concerns over the security of IT and access, he said. And
the common recommendation was the need to have a control framework in
place. In may cases they have informal systems and practices but without
a proper control framework they dont have any guarantees.
Liberal critic Laurie Blakeman called the security concerns frustrating,
because the auditor has been telling the government this for a number of
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com