County’s technology not secure

Alexis Barker
NLJ Reporter
 
A recent IT audit conducted and prepared by Pro River Technology of Colorado found that Weston County’s technology is in need of a security overhaul. After hearing the report on Nov. 18, the Weston County commissioners decided to discuss the IT audit findings with Golden West Technology, the county’s current IT support company, before determining the best action. 
“An 8-year-old with YouTube could get into your system today,” said Jon Iglehart, of Pro River Technology. “Please don’t take this as me saying they did something they shouldn’t have done. The network period has this problem.” 
According to the report, as far as the network goes, Weston County scored 90 percent on the risk assessment, 1 percent being the best and 100 percent being the worst. In terms of security, the county scored 75 percent on the risk assessment, with 100 percent being the least secure. 
Iglehart explained that several things go into computing these scores. He also specified why Weston County scored so low. 
The report states that the county’s active directory server has many user accounts that are not disabled, despite not having been used within the past 30 days. Iglehart explained that this means former employees still have access to the county’s servers through their old logins because those users were never removed.
“The network is being used mostly for shareware, webmail, social media and virus and warez traffic,” the report states. 
Meaning, according to Iglehart, that most of the internet traffic on county networks is not “typical of county business use” and includes accessing Facebook, YouTube and Gmail. 
Weston County’s security score was also figured to be relatively low on the spectrum. Iglehart said the low score reflected the number of internal attempts that failed to authenticate against server’s authentication, a typical sign of someone trying to gain access to the network or an improper use of service accounts on the network. He also stated that shared access to folders has been managed improperly and that managed switches do not have open ports disabled. 
Iglehart noted that user MWServices logged into the server 5,291 times in the past 30 days, WCC01$ logged in 4,497 times in the past 30 days, and JSellers had logged in over 4,711 times in the past 30 days. 
Jill Sellers (user JSellers) said that she had personally logged in that many times because every time she and her staff members leaves their computers, they are prompted to sign in again. Iglehart noted that this is the proper thing to do but that Sellers had hit their radar because other accounts are not following this protocol. 
As for individual departments, the findings varied, according to the report. Several issues were discovered, especially in the Weston County Public Health office’s network, which is not currently included in the county’s network. 
According to Iglehart, the federal law restricting release of medical information is not being met through the use of complex passwords that expire. There were also several “infections and malware found on multiple systems,” according to the report. 
Other departments, including the treasurer’s and clerk’s offices, had connection issues, as well as infections on computers. Golden West does not currently manage the network of the Weston County Sheriff’s Office, and Iglehart described the situation as a “nightmare.” 
“This is definitely the biggest nightmare, even for the police department. They are not meeting Homeland Security guidelines,” Iglehart said. 
He suggested that the county consider including public health and the sheriff’s department under IT contracts moving forward. 
Chairman Tony Barton acknowledged that proper training of county employees could solve some of the issues. 
“Training is going to be something you want to look at, but one thing you don’t want to confuse that with is negligence. In our opinion, it could have been done better,” Iglehart said. 
Commissioner Ed Wagoner asked Pro River Technology to prepare a proposal of costs for the current coverage the county pays for, as well as with the addition of the added departments. Barton stated that one thing he learned as a commissioner is that you have to listen to both sides, and he suggested that the county make no decisions until visiting with Golden West. 
“Whichever company we go with, this is something that needs to be addressed,” Wagoner said. 
Iglehart maintained that Pro River Technology was only trying to bring them the facts and not trying to “point fingers.” 
He explained that there has been a “gross negligence” when it comes to the county’s IT operations, noting that some computers are not included in the domain, computers and printers are not configured properly, and that there are other issues. 
“When we were in here last time with Golden West, they were saying they custom built antivirus solutions. We see no evidence of that,” Iglehart said, noting that they found 79 viruses on one system. 
“When you look through the agreement, this is stuff you are assuming is being taken care of for you,” Iglehart said. “Your pants are around your ankles a little bit here.” 
The commissioners have a scheduled meeting with Golden West Technologies in January to discuss the audit and technology support. 
“I think that Golden West has to look at this audit here and respond to whatever criticism you offer,” Commissioner Tracy Hunt said. “I think that is the first step. We have to hear from them and then need to decide. I am concerned about many of the things you brought up here.” 
Pro River Technology agreed to work with the county as it works to find a better fit for technology support for the county.