LANSING – Auditors have found that most of the state’s UNIX servers, operated by the Department of Technology, Management and Budget, had not been properly secured, an audit released Thursday said.
The performance audit of statewide UNIX security controls, for the period October 1, 2012, through August 31, 2015, found that of 63 servers tested, 59 had vulnerable security configurations. And 47 of the servers had not had a vulnerability scan conducted in more than a month.
But auditors found the department was moderately effective at both implementing security and access controls on the servers and establishing governance structures over the servers.
The state operates about 950 UNIX servers, the report said.
The department agreed with the findings and said it had purchased software to automate security settings and regular security scans on the servers. It said it is also developing a process to ensure vulnerability remediation is assigned to the correct division.
Auditors also cited the state for not consistently using supported versions of the operating system and not timely applying patches. The department also gave too much control over the servers to the Agency Services Division, allowing the possibility that security measures could be circumvented, the report said.
On the operating systems, the department said it is implementing policies to require all agencies to upgrade to supported versions as well as automated patch management.
It also said it is working to better segregate duties among the various groups overseeing the servers.
This story was published by Gongwer News Service. To subscribe, click on www.gongwer.com
