The highly critical audit comes amid heightened concerns about hacking of government systems, including election systems, by Russia and others and as Gov. Rick Snyder has tried to position Michigan government as a leader in the cyber security field.
The report made no specific findings about the statewide voter database or any other specific systems, instead addressing vulnerabilities across all departments, where the computer network and devices are the responsibility of the Department of Technology, Management and Budget.
Though the department handles computer security for the Michigan Secretary of State, which oversees elections and the voter database, it does not handle security for actual voting and tabulating systems, which are operated by local governments.
State government also collects and holds information related to income tax returns and applications for unemployment insurance and social programs such as welfare, all of which contain highly personal and confidential information.
Concerns cited in the report ranged from security settings on state devices, to access to the state network by unauthorized devices, to use of outdated operating systems that don't receive new security patches, to a lack of cyber security awareness among state employees.
The agency "had not fully established and implemented configuration management controls to ensure that the State's network devices are securely configured," said the report released early Friday by Auditor General Doug Ringler.
"Configuration management controls directly impact DTMB's ability to protect the State's network from threats and vulnerabilities."
The state agreed or partially agreed with most of the auditor's findings, but disagreed with how serious some of the findings are, insisting it has strong measures in place to protect the state's computer system from outside attacks.
"The data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem," said Caleb Buhs, a spokesman for DTMB.
"The recommendations that they made reflect best business practices, many of which we have already began to implement. This audit provides us with a good road map for prioritizing future technology infrastructure investments."
The report found that DTMB failed to:
Formally adopt industry best practices for securing network devices. Instead, the agency told the auditor it used vendor-recommended settings and internal experts to create "configuration checklists" for securing network devices.
Configure device operating systems in accordance with best practices. The auditor reviewed 45 devices in the state network and found that 100% of them had deviations from vendor guidelines and DTMB standards. The auditor found between six and 26 deviations on each device. "The configuration of an information system and its components has a direct impact on the security posture of the system," the auditor said.
Adequately raise cyber security awareness among state employees. The auditor conducted a "phishing exercise" — similar to ones used by hackers to gain unauthorized access to computer systems — on 5,000 state employees. The test involved an email requesting employees to click on a link and enter their credentials. Of the employees tested, 32% opened the e-mail, 25% clicked the link, and 19% entered their credentials, the auditor found. "The potential consequences from being phished include identify theft, unauthorized use of accounts, stolen information, and damage to credibility, all of which may take years for an organization to recover," the report said.
Conduct a "risk assessment" of the network, which the auditor says should be conducted at least annually. The auditor reviewed 45 state devices and found that the agency had not conducted vulnerability scans, which are supposed to be completed every 30 days, on any of them.
Ensure that only authorized devices access the state's information technology network. As of June 2017, about 87,000 different IP addresses were connected to the state's system, but "DTMB did not implement sufficient processes to determine if each of the connected IP addresses represented authorized devices."
Implement an effective system for managing updates to device operating systems. The auditor said it reviewed vendor-issued security advisories for four operating systems that are running on 1,361 of the state's 3, 126 network devices. The auditor looked at 28 vulnerabilities the vendor had classified as medium or high risk and found that the state had not remediated 10, or 36%, of them. Also, state devices use about 140 different operating system versions, "which can increase the complexity of managing updates and reviewing these security advisories," the report said.
Make sure that only devices still supported by vendors are operating in the state's IT system. The auditor reviewed hardware and software information for 3.876 network devices and found 745, or 19%, of the devices, were no longer supported by the vendor and 190, or 5%, were running operating systems that were no longer vendor-supported. "Unsupported network devices become obsolete and security patches or technical support may no longer be available," the report said. "This results in an increased risk of network failure, which could negatively impact the availability of the State's critical systems."
Implement a system to make sure the network is protected against threats presented by unauthorized wireless access, which can include denial-of-service attacks and capture of sensitive information by unauthorized parties.
Ensure state employees responsible for securing the network are adequately trained. The agency "was unable to provide historical training records for all staff to demonstrate that staff had received the necessary training and that it was evaluated for effectiveness," the report said.
Establish and implement effective controls over management of the state's computer firewalls to help protect the network from threats. A review of 48 firewall rule changes found a lack of proper documentation and/or approvals in between 7% and 29% of the cases.
The audit said the state failed to develop internal security configuration checklists, consistent with best practices, for all network devices.
The state also failed to establish a formal process to review and update internal security configuration checklists and baseline configurations of network devices, the report said. The auditor said configurations should be reviewed and updated at least every 90 days, but DTMB said it performed updates in response to major events and on an "as-needed" basis.
The audit said DTMB failed to establish a process to routinely monitor network device security configuration settings. The agency said it monitors changes to the configuration of about 3% of the 3,876 network devices, but the auditor said DTMB should be monitoring all of them to make sure they are in compliance.
In its response, the agency said it is finalizing a standard that will adopt industry best practices for secure configurations and expects that to be completed in April. The agency disagreed the configuration issues are as serious as the auditor said, saying it uses a "defense in-depth approach," as well as a risk-based approach, to "protect the State's network from threats and vulnerabilities."
As far as access to the state system, DTMB again disagreed that the findings were as serious as the auditor said.
The agency said it is has a limited pilot study under way to explore implementing a "network access control" plan to assure only authorized devices connect to the system. But it said there are many other ways of achieving this goal that the state already uses, such as use of system firewalls, disabling network ports that are not regularly used, requiring user authentication, and monitoring traffic for hacking and viruses.
The agency said it agreed with the recommendations about updating operating systems and expected to have an improved system in place this month.
On replacing network devices that are no longer vendor-supported, "fiscal resources will limit the replacement of unsupported network devices until 2019, but the management process will be in place" to do so.
The agency disagreed with the auditor's finding that it needs to implement an effective risk management plan, saying it has already done so. DTMB said its third-party vulnerability management tool has not been configured to allow for authenticated scans, which explains why the auditor did not find those scans, but that doesn't mean the system and devices are not being scanned for vulnerabilities.
On the auditor's test "phishing' attack, the state said the test e-mail was reported to its security tips mailbox multiple times, and other controls are in place to limit the effectiveness of such attacks. But the agency said it is working to improve its cyber security training and monitor the effectiveness of that training.