Several Western Australian agencies have been caught out by a review that uncovered easily-guessable passwords, unpatched systems, and unencrypted data stored on tape back-ups.
The state’s auditor-general Colin Murphy declared he was frustrated at reporting “the same common weaknesses year after year”, many of which he said could be “easily addressed” at little cost.
Murphy found common weaknesses in password security: specifically passwords that could be too-easily guessed, were a single character in length, were the default password set by the manufacturer, or were stored in plain text in documented IT policies.
He said that in one instance last year, he used the credential ‘password’ to log into a system containing “thousands of sensitive documents”. The password still worked this year, but the documents had been removed.
The Department of Racing, Gaming and Liquor had simple passwords protecting the databases underpinning its Navigate system, used to apply for and manage licenses and permits.
“We identified high privilege (sys and system) database accounts with very easy to guess passwords. Examples include passwords such as ‘abcd’ and passwords only one character in length,” the auditor reported.
The department accepted that it needed to change.
The Chemistry Centre – a government lab services operator – also suffered from password problems.
“The password policy, last reviewed in 2010, allows users to set simple passwords such as ‘password’ or ‘12345678’,” the auditor said.
“In addition, the policy does not require stronger passwords for highly privileged network, database and application accounts.
“As a result, we were easily able to guess passwords for the database system administrator account and for accounts within ForLIMS”, a system used to manage and report forensic science and medicine cases.
The auditor said in another case, default credentials for “network switches, routers and remote management systems” had not been reset. As a result, the auditor was able to “log on to a remote system with full administrative privileges. This system was used for server hardware maintenance”.
In addition to bad password management, many agencies ran systems that were well behind on their patch management.
In some cases, patching was left to contractors or managed by software that had been poorly configured or otherwise was not working as intended. That left many systems and agencies exposed to – in at least one case - hundreds of publicly-circulating exploits.
There also appeared to be common issues in the way data was shipped outside of the agency, either via the public internet or on tape drives being handled by third parties.
WA Police, for example, was found to share traffic infringement data electronically “in an insecure manner” with a third party that printed and mailed out fines. It is now investing in more secure file transfer technology.
The same data was backed up in an unencrypted state to tape that was picked up by a third party for transport to an offsite storage facility.
The Department of Racing, Gaming and Liquor stored unprotected credit card data on its tape back-ups in violation of PCI standards. Its back-up tapes, handled by a third party operator, also weren’t encrypted.
The Chemistry Centre’s tape back-ups were also unencrypted. The auditor said all three could face problems should tapes be mislaid or stolen.
The auditor said that over the past nine years, about 60 percent of the state’s agencies have not lived up to the auditor’s standards for information security.