Auditors find security breach in NeSIS access

Computer system security was one of the three “significant deficiencies” the Nebraska Auditor of Public Accounts identified in its management letter of the Nebraska State College System, released Tuesday.

“We noted 13 State College users with access to NeSIS had the ability to log in as any established user by bypassing the established authentication process,” the report stated. The issue involved the anonymous ability to access accounts, as well as the lack of any recorded history when doing so.

“These users were not limited to accessing subordinate, student, or employee accounts.  The ability did not require knowledge of another user’s password, nor would the user know if their account was accessed or compromised in this manner,” the letter states.

The APA’s office stated that having such broad and unrestricted access to accounts and information was an accountability issue.

“When users are allowed to circumvent established authentication controls, there is a decrease in accountability as one of these 13 users could log into NeSIS as someone else, and any changes made in the production environment would appear to have been performed by the actual owner of the user account.”

The auditor’s office recommended that unrestricted access such as this be removed, or limited if complete removal was not practical, and that a history and identity log be created to allow such actions to be documented in the future.

“We recommend the State College System remove this access.  If this access is required in unique situations, we recommend it be temporarily granted only when needed.  We also recommend implementing controls to immediately identify and document users who authenticate to NeSIS by bypassing established authentication processes.”

In the in-letter response, the NSCS acknowledged the issue, and said it was “reviewing and removing, where appropriate, the identified individuals who have the ability to change a user’s password.”

Further, the NSCS administration also stated that it would create a system to track NeSIS user’s access of other employee’s accounts.

“The NSCS has initiated a change request that will allow for ‘checking out’ a password into a user’s account, based on the roles assigned to the person making the request and the roles assigned to the person whose account is being requested.  These requests will be tracked,” the letter stated.


Comments are closed.

Recent News Articles

Senate hosts short-notice forum

Oct. 1, 2015

A public forum on Monday, called on short notice and designed to garner student input on whether to fund a Christian concert sponsored by two Christian-based clubs, saw only a few students questioning the concert, nine members of one of the clubs defending it, and some student senators feeling as if they had no choice but to approve the request.

Amid praises, CSC dedicates Rangeland Complex

Oct. 1, 2015

This weekend’s dedication of the new Rangeland Complex had a large turnout which included students, parents, faculty, staff, and alumni including former track athlete John Sides who is a part of a three generation CSC legacy and members of the Coffee family who financially supported a large amount of the complex.

Senate allocates $5,500 to Chi Alpha, Revive for Christian concert

Oct. 1, 2015

Chi Alpha and Revive have been allocated $5,500 for the Small Town American Tour concert they are hosting Wednesday, Oct. 14 with only three senators abstaining from the vote and the rest voting yes.

Retired Army vet to present at CSC

Oct. 1, 2015

Students in the FYI 169X: Survival Skills 101 course will host Kyle Roberson, supervisor of education at a federal camp at Yankton, South Dakota, who is coming to CSC to present three free sessions for students. He will tell his story and about his career path. Roberson is retired from the army after 21 years […]

CSC President cuts ribbon on new addition

Oct. 1, 2015

In celebration of hard work, dedication, and un-yielding faith, faculty, current students, alumni, and family all came out to show support and gratitude at the dedication of the Chicoine Events Center on Saturday, in front of the Chicoine Center.