Auditor calls for Government ban on Gmail, Hotmail

The Australian National Audit Office has called on all government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks.

An audit of electronic security at four Federal departments and agencies found one department - Prime Minister and Cabinet - allowed staff to access the free unsecured email services for business reasons.

Log files obtained by the auditor showed some department staff were using the free accounts regularly.

However, the auditor noted that such public email services "should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."

Prime Minister and Cabinet told the auditor that it would cease allowing staff access to free email services from July 1.

Other agencies included in the electronic security audit also agreed to the recommendation to stop using public email.

They were Medicare, ComSuper and the Australian Office of Financial Management.

Password security

The auditor also called on agencies to review log-in credentials after administrator or service account passwords were compromised at three of the four agencies examined in the report.

A ‘brute force’ test resulted in around 20 percent of passwords being compromised, according to the audit.

As a percentage, the results "compared reasonably favourably with some private sector and state government agencies", the auditor noted.

However, the compromise of administrator and/or service account passwords was a concern.

To reduce the risk of attackers gaining access to privileged access accounts, the audit recommended that agencies review the passwords and policies for administrator and service accounts and, where required, set password complexity requirements suited to that level of system privilege.

Other results

The Audit highlighted other areas to improve network security including:

• Ensuring content filtering software blocks access to Internet sites that are inappropriate for work use or may be high risk for malicious content, such as those with adult content, gambling, chatrooms, dating sites, criminal or terrorist information, music downloads and SPAM.
• A documented patching process for the network operating system and third party applications, and monitoring that the processes was correctly implemented.
• The use of email filtering software that blocked delivery of suspicious emails and prevented transmission of unmarked or inappropriately marked emails.