Vic gov agencies flying blind on server security, audit finds

Victorian government agencies do not fully know what servers are on their networks, the state's official audit office has found, potentially jeopardising a critical foundation for cyber security.

The Victorian Auditor-General's Office (VAGO) examined 10 government departments and state ICT provider Cenitex, finding that none could provide a complete and accurate inventory of their  servers.

Without knowing what servers exist, agencies cannot reliably apply, manage or monitor the technical security controls needed to protect them, VAGO pointed out in its report.

Six agencies use automated asset discovery tools to identify servers, but none had configured these tools to scan their entire networks.

Only three agencies reconciled server information across all their environments, using manual verification and physical audits.

These reconciliation processes are not considered best practice on their own, with industry standards pointing to automated discovery as the superior approach.

When agencies finally provided server inventory data, the quality was poor across the board.

All agencies submitted incomplete information, missing critical details such as operating system versions, host names, or server locations.

Eight agencies had duplicate records for the same server, with duplication ranging from four entries to over 1000.

The inventory problems mask an even more serious issue with ageing infrastructure.

A quarter of servers reported by agencies run operating systems that are unsupported, meaning they no longer receive automatic security updates, bug fixes, or technical support.

Furthermore, another 11 percent had unknown operating systems, with names and version numbers either missing or being incomplete.

Only four agencies have tools in place to track the lifecycle of server assets, including when operating systems reach end of life.

Just three agencies have a process for managing operating systems approaching end of support.

The auditor-general assessed technical security controls against the Microsoft Cloud Security Benchmark, a globally accepted standard for multi-cloud environments.

Every agency received the lowest possible rating of level 1, equivalent to a high-risk environment with inconsistently-applied basic compliance controls.

The assessment covered five key elements: operating system versions, industry-standard hardened images, security baselines, access control and patching, and backup and monitoring.

The cumulative approach to scoring, consistent with the Australian Signals Directorate's Essential Eight (ASD E8) model, meant weaknesses in any element dragged down overall ratings.

VAGO's three recommendations to agencies

The auditor-general made three key recommendations to address the failures.

These included to track IT servers by implementing automated asset discovery tools across the entire environment, reconciling server information regularly, and maintaining complete server inventories with key attributes.

Agencies were also asked to strengthen technical security controls by upgrading or decommissioning servers with unsupported operating systems, implementing industry-standard hardened images, and applying security baselines consistently.

The Department of Government Services was asked to issue guidance establishing requirements for minimum technical security controls and expectations for tracking server inventories across all state government agencies.

VAGO's audit comes after nine out of 10 Victorian government organisations experienced a cyber incident in 2023, with successful attacks capable of leaking confidential information and disrupting communication networks and critical infrastructure.

Victorian government agencies were warned in 2015 by VAGO to move off end-of-life software and systems, and to improve poorly managed IT security and access controls.

The report is VAGO's second recent one into cyber security, with the first audit in 2023 finding that agencies could improve their cloud-based identity management and device management controls.