ACT running core IT on unsupported operating systems

The ACT government is putting sensitive information like medical records and births, deaths and marriages data at risk by running systems on servers with end-of-life operating systems, the territory's auditor has found.

In its 2015-16 audit of the ACT's computer information systems, tabled on Friday [pdf], the territory's audit office found 34 instances of unsupported server operating systems.

Systems running on these services spanned everything from medical, sexual health, and personal details to land titles, territory revenue and assets, electronics documents and records, and even remote access token authentication.

The audit office has been warning the territory of the pressing need to upgrade end-of-life server software since 2011-12.

It noted that the territory's Shared Services agency had done some work to fix this state of affairs by upgrading 72 of the 106 identified servers over 2015-16, but said more work needed to be done.

Shared Services told the audit office the remaining cases are somewhat more difficult because the systems running on these services won't work on newer operating systems.

The continued use of unsupported operating systems on servers increases the risk of the ACT Government network, including applications and data, having security vulnerabilities or performance problems, the audit office said.

It told five agencies still using end-of-life server software to work out a way to get their operating systems supported, or - if impossible - to figure out how to minimise the risk of security and performance issues.

Last year Shared Services built an application portfolio management platform for the public sector to keep track of its application environment.

The Chief Minister, Treasury and Economic Development Directorate - one of the agencies named and shamed in the report - said it had uploaded information about its applications and systems into the tool in order to monitor support.

It also said Shared Services had started deploying Trend Micro's Deep Security tool as a vulnerability mitigation solution mid-last year to protect the government's unsupported servers against threats. The effort is "ongoing" and would be complete by June 30, it said.

The other agencies highlighted in the report said work was either underway to decommission or upgrade end-of-life hardware, or the Trend Micro tool was being relied on until other, connected upgrade work was completed and the servers could be dealt with.

Weak access controls

Agencies were also criticised for having weak access controls, with too many generic user accounts and a lack of insight into privileged accounts.

The ACT government network currently has 28,000 active user accounts, but 35 percent - 9852 - haven't been used in three months, the auditor said.

Shared Services has performed reviews of privileged user accounts but doesn't have a complete list, leaving it unable to assess whether it has appropriately limited an individual's access to the minimum they need.

Additionally, the network has 1132 generic, or shared, user accounts which are accessed by more than one person, increasing the risk of "inappropriate and fraudulent access to applications and data".

While the territory government has agreed to deactivate users who haven't logged on in 90 days and "promptly" after staff leave employment, it has said it can't do a lot about many of the shared accounts.

It told the auditor generic accounts were unavoidable in some cases - like in health services - to give users fast access to resources in high demand areas.

"Unique user names and passwords slow the process because users are required to log the previous user out and log into their own account to access critical information technology resources," it said.

Shared Services has, however, restricted the provision of new shared accounts and told agencies to remove existing shared accounts if they aren't needed. It has cut the 1132 generic accounts at the time of audit to 1090 as of March this year.

The territory government also earned a slap for not forcing complex passwords on its territory revenue system.

"This increases the risk of inappropriate or fraudulent access to this application and its data, as staff will be less likely to use complex passwords when they are not forced to do so by the application," auditor-general Dr Maxine Cooper said in her report.

The government said a new revenue system, which will be implemented from August this year until the end of 2018, would have the capability for complex passwords.