The Michigan Office of the Auditor General (OAG) undertook the performance audit, released in March, to assess the state network and cybersecurity, including the “availability, confidentiality and integrity” of network and data, and how the agency’s network, computers and data are defended from breaches.
“Protecting a computer network entails a series of defensive mechanisms at various layers of security (the concept of defense in depth). Network security is just one of those layers. Although we identified 14 findings, we concluded that DTMB was moderately effective or moderately efficient for each of the four audit objectives,” Kelly C. Miller, the OAG’s state relations officer, told Government Technology via email.
Miller indicated the audit was a result of the agency’s “annual risk assessment process” in which it identified network and cybersecurity as “high risk areas,” and was not prompted by an event or incident.
“The audit findings are significant because the design and administration of the state of Michigan’s network impacts the security of the state’s overall IT resources and data,” Miller added, noting OAG believes DTMB agrees improvements are necessary — a positive sign.
In a March 16 letter to DTMB Director and state CIO David DeVries, state Auditor General Doug Ringler informed the agency it would have 60 days to “develop a plan to comply” with the audit’s recommendations. DTMB Director of Communications Caleb Buhs told GT via email that the agency is already preparing the “audit remediation plan,” due by May 15.
Buhs emphasized that data in the state’s network remains secure due to multilayered protection, as well as investments made in these protections in recent years.
“This audit, over a very specified functional area, highlighted incongruence between our dated policy and our evolving enterprise IT environment. We remain diligent and continue to evolve our tactics, techniques and procedures as the threat evolves,” Buhs told GT.
The audit, which has been considered by legislators during the past two weeks, made nine findings that rose the level of “reportable condition,” and five that were more serious, identifying “material” conditions. Among these five conditions, OAG found DTMB:
- “Did not implement a network access control (NAC) solution to help ensure” only authorized devices accessed the state IT network; and that unauthorized “or unmanaged” devices would be detected and blocked. OAG recommended DTMB implement an NAC solution. DTMB “partially agreed,” indicating it is “currently conducting a limited pilot” on the feasibility of doing so; but noted “there are numerous approaches” already in place to detect and block unauthorized devices, including disabling disused network ports; requiring user authentication to access state of Michigan (SOM) systems; and multifactor authentication for administrative access.
- Didn’t fully “establish and implement an effective process for managing” operating systems updates to network devices; and needs a formal process “for assessing the risk that security advisories have” on the state’s network device OS. OAG recommended DTMB “fully establish and implement” an effective update management process for OS on network devices. DTMB agreed with the recommendation, including the need for a “formal written process for analyzing security vulnerabilities and updating network devices,” and said it is formalizing “a written internal process.”
- Failed to regularly review, test and monitor firewall rulesets to securitize against threats and ensure “firewalls are operating as intended to prevent unauthorized access.” OAG recommended establishing and implementing “effective controls” over firewall management. DTMB agreed, indicating it will improve documentation, review and approval of firewall rulesets, and that since February 2015, it has stood up a “more structure automated audit process” to ensure firewall rules are “implemented in compliance with state standards.”
- Did not conduct a risk assessment and “fully implement an effective process for identifying and remediating vulnerabilities on network devices.” OAG recommended DTMB “fully establish and implement effective risk management practices” in the state IT network. The agency agreed and indicated since October it has begun implementing a risk management framework “adopted from federal agencies in accordance with National Institute of Standards and Technology (NIST) guidelines.”
- Needs “improved configuration management controls,” which “directly impact” its ability to protect the state network from threats and vulnerabilities. It recommended DTMB fully establish and implement such controls. The agency disagreed with DTMB that this was a material finding. DTMB indicated it already has a “defense-in-depth approach” that includes “effective configuration management controls” and creates security configuration checklists that outline settings for configuration and security items. The agency has “remediated 96 percent of the configuration exceptions to date,” Buhs said, and is at work on a new written internal standard to be finished later this month.
Buhs said the state does its own phishing tests of employees and contractors, including one campaign last fall that included all 53,491 state employees. In the test, only 18 percent of employees clicked the link, and 10 percent “proactively” forwarded the email to the state cybersecurity team.
Current state standards for ongoing training for security personnel require annual role-based training, he added. These training requirements were satisfied by staff, Buhs said, and a more comprehensive process following industry standards for documenting the training has been instituted. Additionally, an improved statewide security awareness program had been put in place with a new security training contract in March 2017.
In a review of network device life cycle management processes, OAG found 19 percent of 3,876 devices were no longer supported by the vendor; and 5 percent were running unsupported operating systems. DTMB said it evaluated and will replace “the majority of these devices as needed.”
The question of privilege, or who gets network access, is not an uncommon one in state and local governments. Upon scrutinizing administrative access, OAG found five accounts remained active after a user no longer worked for the state; four users with “access beyond what was required” to do their jobs; and one user with multiple accounts due to an employment change. Additionally, DTMB was unable to document management approval of access rights for 11 of 14 users reviewed.
OAG recommended DTMB “fully establish and implement effective administrative access controls over network devices.” DTMB agreed, said it has been “working on improvements to access controls,” and executed “many access corrections on the spot.”
DTMB is also conducting an IT policy improvement initiative expected to be complete in June, Buhs said.
This was DTMB’s second related audit in about 14 months. In January 2017, an OAG audit faulted DTMB strategies for helping state agencies identify critical “red card” systems and infrastructure, and plan for disaster recovery in an emergency.
In most instances relevant to designing and administering a secure IT network, Buhs said DTMB is taking the right measures, but may not have been properly documenting them. In other instances, he said, standards “have not been updated to reflect the enterprise aspect of the mission, or the current industry business practice.”
“We have been reviewing and updating our IT policies and technical standards to make them better align to industry best practices,” Buhs said.