Legacy witch-hunt digs up out-of-date servers in SA govt

Thirteen percent of all servers in operation at 10 of South Australia's most critical agencies are running legacy operating systems, leaving the government vulnerable to attacks on unsupported an unpatched infrastructure, according to the state's auditor-general.

Auditor Andrew Richardson’s review [pdf] of 10 agencies - including the Attorney General’s Department, the Department of Education and Child Development, and the Department of Planning, Transport and Infrastructure - dug up 226 agency servers still running Windows Server 2003 and five servers running Windows Server 2000.

Windows Server 2003 reached end of support in July last year, and Windows Server 2000 hasn’t been supported since July 2010. Only two of the 10 agencies had all of their server fleet running supported software.

The worst offending agency was running 71 legacy servers.

Its executives promised they were working to decommission the out-of-date fleet, but insisted “46 legacy servers needed to have all applications removed before a request to the vendor could be submitted to start formal decommissioning”, and “25 legacy servers had all applications removed but were awaiting formal decommissioning”.

Richardson criticised several of the offending agencies for failing to implement 'sufficient controls to mitigate the increased risk of continuing to operate these servers”.

“This increases the risk of unauthorised access to sensitive information stored on these servers due to unpatched security vulnerabilities," he said.

He declined to name the specific agencies under fire for fear of making them a target of attacks.

The rate of reported security incidents affecting SA government networks jumped 49 percent between January and July 2016, however the rise coincides with an increased monitoring campaign.

Over 90 percent of all reports related to ransomware attacks.

Meanwhile, the government’s central cyber security efforts have seen accounts with administrative privileges drop from 10,000 to 6000 across the state government.

The audit team also acknowledged that agencies had managed to close down or upgrade 85 legacy servers between November 2015 and September 2016, suggesting the administration is not ignoring the problem altogether.