iTnews

WA govt still struggling with infosec practices

By Justin Hendry on Aug 22, 2018 7:00AM
WA govt still struggling with infosec practices

Poor password practices, security vulnerabilities identified.

Western Australian government agencies have yet again been called out for poor password security practices, with some 60,000 user accounts registering weak login credentials in the latest probe.

The state’s auditor-general Caroline Spencer today handed down the tenth annual Information Systems Audit Report [pdf] identifying largely unchanged infosec weaknesses from recent years.

“Common weaknesses across all our information systems audits indicate agencies are not taking risks to information systems seriously enough,” she said.

“Most of the issues raised can be easily addressed and it appears that risks are simply not properly understood. They are certainly not being effectively managed.”

She called for “executive management to engage with information security” to address the common information systems weakness that agencies struggle with year after year.

The audit – focusing on 17 agencies – found that password security continues to prevail as one of the state’s most common weaknesses, with more than a quarter of the “enabled network accounts” reviewed having weak passwords.

“We reviewed approximately 234,000 enabled accounts across 17 agencies and 23 AD [Active Directory] environments. Of these, 26 percent (60,000) had weak or commonly used passwords,” the report states.

“In a number of instances these accounts are used to access critical agency systems and information via remote access without any additional controls.”

However many of the top 20 weak passwords identified by the audit office do comply with industry standards for password complexity and length.

“This indicates that merely applying these parameters is insufficient to guard against inappropriate access to networks and systems,” the report states.

The password ‘Password123’, for instance, appeared in 1464 accounts, followed by ‘Project 10’ (994 accounts), ‘support’ (866 accounts), and ‘password1’ (813 accounts).

Passwords constructed using a combination of seasons and dates also made up more than 20 percent of the weak passwords.

Poor password practices also varied between agencies, with one unnamed agency responsible for 56 percent of the weak passwords identified.

Agencies were also found to lack the necessary “technical controls to enforce good passwords across networks, applications and databases”, with no guidance about good password management practices.

“We found most agencies do not guide or support users to securely store and manage passwords,” the report states.

But with “at least 12 of the 17 agencies did not have multi-factor authentication as an additional layer of security for key systems that are accessible via remote access”, most users have to write down multiple passwords to remember them.

“Relying only on passwords leave these key systems vulnerable to attacks and increase the risk of unauthorised access,” the report states.

“This risk was realised in 2017 when North Metropolitan TAFE reported a hacker had gained unauthorised remote access to their network and encrypted password hashes.”

The audit office has recommended that the Department of Premier and Cabinet “provide guidance to agencies on ways to better manage identifies and access”, to which the department has agreed.

A remodelled Office of the Government Chief Information Officer was recently handed a stronger remit to address poor public sector infosec practices identified by last year’s audit report.

The new Office of Digital Government will contain a dedicated cyber security team focused on developing government-wide cyber security initiatives.

DPC said it has already engaged the 17 agencies and requested a status of their progress with the implementation of the recommendations.

Key business systems at risk

The audit also reveals control weaknesses across key business applications at five agencies, including the Department of Health’s Patient Medical Record System and WA Electoral Commission’s Election Management System WA (EMSWA).

“All 5 applications had control weaknesses with most related to poor information security and policies and procedures,” the report states.

“We also found issues with controls that aim to ensure the applications function efficiently, effectively and remain available.”

The Patient Medical Record System, for example, has been identified as having security vulnerabilities that “have the potential to expose confidential patient information to inappropriate access and misuse”.

Similar issues were also identified in the EMSWA that “may compromise the security and integrity of sensitive data, including voter identity details”.

These issues largely stem from administrator and database account passwords that had “not been changed for over two years”, made worse by the fact sensitive personal data isn’t protected by encryption.

Confidential personal information was also found to have been used in the test environment.

“We found that confidential personal information of voters from the EMSWA live system is copied and used in the test environment which does not have the same level of security,” the report states.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
governmentit password security strategy wa western australia

Partner Content

Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
Promoted Content Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
What is zero trust cybersecurity?
Partner Content What is zero trust cybersecurity?
Why companies fail at picking cloud modernisation partners
Promoted Content Why companies fail at picking cloud modernisation partners
As Australian companies lean more heavily on the cloud, edge security is finding its stride
Partner Content As Australian companies lean more heavily on the cloud, edge security is finding its stride

Sponsored Whitepapers

Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world
Move beyond passwords
Move beyond passwords
The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Justin Hendry
Aug 22 2018
7:00AM
0 Comments

Related Articles

  • WA registry system flaws force auditor to delay findings by 18 months
  • WA govt creates first cyber security operations centre
  • WA agencies still vulnerable to cyber security weaknesses
  • Ministers push to keep digital ID systems uniform
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.