Network security for the US State of Michigan has been rated as "moderately sufficient" in an audit of its Department of Technology, Management, and Budget (DTMB).
Michigan's DTMB, according to auditor Doug Ringler this month, got some things right but has a number of deficiencies in its IT security practices that need to be addressed.
The lackluster findings echo an audit of the US Department of Homeland Security released earlier this month and underscore how it is that government agencies continue to be victimized by hackers, state-sponsored or otherwise.
The Michigan audit, which spanned the period from October 2014 through September 2017, identified 14 findings, five of which are deemed "material" and nine of which are deemed "reportable," the former being more severe than the latter.
For example, the report says the DTMB hasn't fully implemented configuration management controls for its devices. The department, the audit says, monitors changes to the network configuration of only about 100 out of 3,876 devices (~3 per cent). The report contends that the agency should monitor the configuration settings for all of its devices.
DTMB only partially accepts this criticism, arguing that its defense-in-depth approach is effective and continues to improve.
The audit also says that DTMB failed to implement network access controls to keep unauthorized devices off Michigan's network. Again, DTMB says it only partially accepts this criticism, stressing that is has other approaches to preventing unauthorized or unmanaged devices from accessing its network.
As with the feds, DTMB falls short when it comes to patching vulnerabilities. The audit says it identified 10 vulnerabilities of high or medium severity that should have been addressed through software fixes.
Here, the DTMB has no argument.
The state's other material shortcomings include failure to review, test, and monitor firewall rules and failure to implement an effective process to identify and remediate vulnerabilities with network devices. And the DTMB agrees with these findings.
Among the nine less severe "reportable" conditions, the audit recommends that the state keep plugging away with its cybersecurity awareness training program.
To understand why, consider that when 5,000 randomly selected state employees across 18 executive branch departments were presented with a phishing email test, 32 per cent opened the phishing message, 25 per cent clicked on the link in the message, and 19 per cent submitted their credentials through the phishing website loaded by the link.
This is why we can't have nice things. ®