WA Auditor General able to guess database administrator passwords

A WA Auditor General's report probed applications at five government entities and found none were completely satisfying his information security benchmark, with the Chemistry Centre's passwords easily cracked.
Written by Asha Barbaschow, Contributor

Western Australia's Auditor General has expressed his disappointment that government agencies in the state are not taking simple steps to protect IT systems.

In his ninth annual Information Systems Audit Report [PDF], Colin Murphy probed five government agencies and highlighted his frustration in repeating remarks he has made in previous audits.

"Disappointingly, I must again report that many agencies are simply not taking the risks to their information systems seriously," Murphy's overview reads. "I continue to report the same common weaknesses year after year and yet many agencies are still not taking action."

Murphy said he is "particularly frustrated" with agencies in the state, given that many issues he has previously raised can be easily addressed. These include poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated, he explained.

"A pressing issue that must be acknowledged and addressed across the sector is for agencies' executive management to engage with information security, instead of regarding it as a matter for their IT departments," Murphy continued.

"As recent high profile malware threats have shown us, no agency or system is immune from these evolving and ongoing threats.

"The risk to agency operations and information is real and needs to be taken seriously."

The report reviewed key business applications at five agencies: The Western Australian Police Force's Image and Infringement Processing System (IIPS); Navigate from the Department of Racing, Gaming and Liquor; the Chemistry Centre's Laboratory Information Management Systems (LIS); the Case Management and Intelligence System (CMIS) of the Corruption and Crime Commission; and the Department of Finance's Project and Contract Management (PACMAN).

The Auditor General then reviewed the systematic processing and handling of data across policies and procedures, backup and recovery, and the audit trail, in addition to others, as part of its probe.

The report highlights that all five applications had control weaknesses which were mostly related to poor information security, policies, and procedures. It made 65 findings across the five applications, rating four as significant, 53 as moderate, and eight as minor.

The four significant concerns related to the security of sensitive information, backup and recovery, and data processing.

The Chemistry Centre's LIS had the highest number of concerns, with the Auditor General making 22 findings, with 32 percent stemming from its weak security policies and procedures.

While ChemCentre applies many technical controls to ensure the security of its applications and information, the report said many controls may not meet security objectives, as the policies are lacking or outdated.

"The password policy, last reviewed in 2010, allows users to set simple passwords such as 'password' or '12345678'. In addition, the policy does not require stronger passwords for highly privileged network, database, and application accounts," the report says.

"As a result, we were easily able to guess passwords for the database system administrator account and for accounts within ForLIMS."

As a result, Murphy made six recommendations that ChemCentre should adopt by August 2017, which includes developing new, and reviewing existing, security policies; updating its risk management framework and conduct a risk assessment; conduct a business impact assessment and develop a disaster recovery plan; and develop an IT strategic plan, software development process, and update application documentation to ensure appropriate controls are in place to protect sensitive information.

The Auditor General made similar recommendations to the other four government entities, asking Police to review the process for managing security vulnerabilities, software updates, and patches, and to consider automating its manual processes for on the spot infringements.

He also recommended the Department of Racing, Gaming and Liquor look into automating its manual processes and that it better define access management for its systems.

The Auditor General also conducted an investigation on the general computer controls (GCC) within government entities to determine whether computer controls effectively support the confidentiality, integrity, and availability of information systems.

GCC include controls over the IT environment as a whole, computer operations, access to programs and data, program development and program changes, focusing on the management of IT risks, information security, business continuity, change control, physical security, and IT operations.

"We reported 441 GCC issues to the 46 agencies audited in 2016, compared with 454 issues at 45 agencies in 2015," the report says. "There was also a decrease in the number of agencies assessed as having mature general computer control environments across all six categories of our assessment."

Only seven agencies met the Auditor General's expectations for managing its computer environments effectively, compared with 10 in 2015.

The results for information security and business continuity were flagged as disappointing by Murphy, with 61 percent of agencies failing to achieve a level three or higher in information security, with 73 percent failing to meet level three or higher in business continuity.

However, Lotterywest, the Department of the Premier and Cabinet, and Racing and Wagering Western Australia were flagged as consistently demonstrating good management practices across all areas assessed.

Only 39 percent of agencies met the Auditor General's benchmark for effectively managing information security, which was down 1 percent from the previous year.

Murphy made six recommendations to state government agencies in December, after it was found six agencies had previously been the target of malware campaigns.

The Department of the Attorney General, Department of Mines and Petroleum, Department of Transport, Main Roads Western Australia, and the Office of the Government Chief Information Officer (OGCIO) were found to be under constant threat, which the Auditor General said highlighted the need for improved central governance arrangements to identify, warn of, and prevent attacks.

Under the careful watch of the OGCIO -- established in July 2015 -- Murphy said previously he wanted to see the WA public sector consider methods to foster "collaboration, information, and resource sharing" between agencies. He also suggested the public sector gather information to properly understand the threat posed by malware and other cyberthreats to the state government.

The Queensland Audit Office (QAO) also tabled a report this week, focused on the Security of critical water infrastructure in the state.

The report [PDF] found water control systems in Queensland were not as secure as they should have been, noting the age of many of the control systems, combined with more recent integration with corporate networks, had resulted in higher risks that had not always been recognised and tested by the entities themselves.

"Security controls did not sufficiently protect them from internal or external information technology-related attacks," the report says, noting all entities probed were susceptible to security breaches or hacking attacks due to weaknesses in processes and controls.

Of concern to the QAO is the potential for attacks to disrupt water and wastewater treatment services, as well as related services that rely on the entities' IT environments.

"There was a risk to public health and appreciable economic loss in terms of lost productivity, not only to water service providers but also to citizens and businesses," the QAO wrote.

The audit found that while all entities audited had the capability to respond to information security incidents if detected, they weren't well prepared to respond to cyber attacks as they had not planned or tested response and recovery from a malicious or cyber incident.

The QAO was alarmed that entities had reported they could operate smaller plants or parts of their larger water treatment plants manually in the event of disruption to computer systems, but had not demonstrated such capability.

As a result, the report recommends water service providers identify risks of information technology security breaches, implement controls to protect systems, and monitor and review the effectiveness of the controls.

"While entities we audited have taken steps in recent years to improve their information technology security, the results of this audit shows that management needs to do more in terms of oversight, leadership, and direction," the report says.

Editorial standards