Western Australian government agencies have yet again been called out for poor password security practices, with some 60,000 user accounts registering weak login credentials in the latest probe.
The state’s auditor-general Caroline Spencer today handed down the tenth annual Information Systems Audit Report [pdf] identifying largely unchanged infosec weaknesses from recent years.
“Common weaknesses across all our information systems audits indicate agencies are not taking risks to information systems seriously enough,” she said.
“Most of the issues raised can be easily addressed and it appears that risks are simply not properly understood. They are certainly not being effectively managed.”
She called for “executive management to engage with information security” to address the common information systems weakness that agencies struggle with year after year.
The audit – focusing on 17 agencies – found that password security continues to prevail as one of the state’s most common weaknesses, with more than a quarter of the “enabled network accounts” reviewed having weak passwords.
“We reviewed approximately 234,000 enabled accounts across 17 agencies and 23 AD [Active Directory] environments. Of these, 26 percent (60,000) had weak or commonly used passwords,” the report states.
“In a number of instances these accounts are used to access critical agency systems and information via remote access without any additional controls.”
However many of the top 20 weak passwords identified by the audit office do comply with industry standards for password complexity and length.
“This indicates that merely applying these parameters is insufficient to guard against inappropriate access to networks and systems,” the report states.
The password ‘Password123’, for instance, appeared in 1464 accounts, followed by ‘Project 10’ (994 accounts), ‘support’ (866 accounts), and ‘password1’ (813 accounts).
Passwords constructed using a combination of seasons and dates also made up more than 20 percent of the weak passwords.
Poor password practices also varied between agencies, with one unnamed agency responsible for 56 percent of the weak passwords identified.
Agencies were also found to lack the necessary “technical controls to enforce good passwords across networks, applications and databases”, with no guidance about good password management practices.
“We found most agencies do not guide or support users to securely store and manage passwords,” the report states.
But with “at least 12 of the 17 agencies did not have multi-factor authentication as an additional layer of security for key systems that are accessible via remote access”, most users have to write down multiple passwords to remember them.
“Relying only on passwords leave these key systems vulnerable to attacks and increase the risk of unauthorised access,” the report states.
“This risk was realised in 2017 when North Metropolitan TAFE reported a hacker had gained unauthorised remote access to their network and encrypted password hashes.”
The audit office has recommended that the Department of Premier and Cabinet “provide guidance to agencies on ways to better manage identifies and access”, to which the department has agreed.
A remodelled Office of the Government Chief Information Officer was recently handed a stronger remit to address poor public sector infosec practices identified by last year’s audit report.
The new Office of Digital Government will contain a dedicated cyber security team focused on developing government-wide cyber security initiatives.
DPC said it has already engaged the 17 agencies and requested a status of their progress with the implementation of the recommendations.
Key business systems at risk
The audit also reveals control weaknesses across key business applications at five agencies, including the Department of Health’s Patient Medical Record System and WA Electoral Commission’s Election Management System WA (EMSWA).
“All 5 applications had control weaknesses with most related to poor information security and policies and procedures,” the report states.
“We also found issues with controls that aim to ensure the applications function efficiently, effectively and remain available.”
The Patient Medical Record System, for example, has been identified as having security vulnerabilities that “have the potential to expose confidential patient information to inappropriate access and misuse”.
Similar issues were also identified in the EMSWA that “may compromise the security and integrity of sensitive data, including voter identity details”.
These issues largely stem from administrator and database account passwords that had “not been changed for over two years”, made worse by the fact sensitive personal data isn’t protected by encryption.
Confidential personal information was also found to have been used in the test environment.
“We found that confidential personal information of voters from the EMSWA live system is copied and used in the test environment which does not have the same level of security,” the report states.