​WA Auditor General calls out agencies for poor infosec practices

​'Password123' is still being used to secure government employee accounts.

Western Australia's Auditor General has once again called out state agencies for not taking IT risks seriously, despite many being "easily addressable", particularly when it comes to password hygiene.

In Information Systems Audit Report 2018 [PDF], the Auditor General highlighted that the risks to government entities are simply not properly understood, noting that they are "certainly not being effectively managed".

"Over one quarter of the enabled network accounts we looked at had weak passwords at the time of audit," the report's conclusion states.

"In a number of instances, these accounts are used to access critical agency systems and information via remote access without any additional controls.

"Generally, agencies lacked technical controls to enforce good passwords across networks, applications, and databases, and did not have guidance about good practice for password management."

17 agencies' passwords and privileged accounts processes and controls were probed as part of the annual audit, processing approximately 520,000 enabled and disabled accounts. Of those, 234,000 were enabled and 26 percent had weak passwords.

The probe found Password123 was used to secure 1,464 active accounts, with a total 6,546 accounts using equally weak passwords to access government IT systems.

The Auditor General did praise agency staff for attempting to up their level of password hygiene by making them longer, but in many cases this simply included adding more consecutive numbers to the end of the existing password.

At least 12 of the 17 sampled agencies did not have multi-factor authentication as an additional layer of security for key systems that are accessible via remote access, the report found.

When it comes to understanding the implications of databases in the wild, the report said that one agency investigated had old, offline versions of the AD database stored on its server and widely available to IT support users and contractors.

Another agency inadvertently shared its entire AD database with a third party.

The Auditor General made a handful of recommendations as a result of the investigation, including that the Department of Premier and Cabinet provide guidance to agencies on ways to better manage identities and access including password management and multi-factor authentication by the end of the year.

Additionally, it asked that all agencies have adequate security policies in place that require a lifecycle management approach for different types of accounts and access levels; implement privileged identity and access management best practices; consider providing staff with a secure way of storing passwords and technical solutions to reduce the number of passwords users need; use multi-factor authentication for remote access; prevent/blacklist the use of common weak passwords; tailor password requirements for each type of account, based on the risk, environment, and other mitigating controls in place; and maintain visibility on the purpose, ownership, and use of service, system, and database accounts.

As part of its annual probe, the Auditor General also looks into key applications at a handful of agencies, with the Department of Health's Patient Medical Record System; the Department of Mines, Industry Regulation and Safety's Tenancy Bonds Management System; the Office of State Revenue's First Home Owner Grant Online System; the Western Australian Electoral Commission's Election Management System WA; and the Keystart Housing Scheme Trust's Keysmart System under the microscope this year.

All five applications had control weaknesses, with most related to poor information security and policies and procedures, the Auditor General reported.

Of the 49 findings across the five applications, nine rated as significant, 29 as moderate, and 11 were flagged as minor. The significant concerns were mostly around the security of sensitive information, with a few falling under the policies and procedures banner.

Where the Patient Medical Record System is concerned, the Auditor General concluded that unclear decision-making and a lack of digitisation strategy has impacted its implementation.

The Department of Health is yet to decide if all medical health records will be digitised across Western Australia, as they are still in the process of developing a digital strategy. The Auditor General said that as a result, decisions regarding its design and deployment are made at individual hospitals without consideration of whole of Health needs.

The Tenancy Bonds Management System was called out for having ineffective security controls, such as weak passwords and third-party accounts not being properly managed, despite many external parties having total access to customer information.

The First Home Owner Grant Online system similarly had weak security. In 2016-17, almost 15,630 grant applications were recorded and managed by the system, yet the audit found unprotected personal data -- such as bank account information -- in the Office of State Revenue's test environment.

While the audit did not find any instances of inappropriate access or misuse of the Election Management System, it said confidential information is at risk due to insufficient password controls, unencrypted databases, and minimal tracking or monitoring of changes made to the data.

The Keystart Housing Scheme Trust was flagged by the Auditor General as needing an account cleanse, with 32 system accounts found that had not been used for up to eight years.

RELATED COVERAGE

WA's grand plan to rid government of IT ownership

With money tight thanks to the end of the mining boom, the end-goal of the government of Western Australia's GovNext-ICT initiative is to rid the state of any IT infrastructure ownership.

WA parliamentary committee confident government CIO will fix current IT problems

A WA parliamentary committee is concerned for the future of state health IT contracts, pointing to the establishment of a government chief information officer as an opportunity to prevent history repeating itself.

WA Auditor General recommends inter-agency cooperation to counter malware

The state's Office of the Auditor General has made six recommendations to prevent the threat of malware after investigating six West Australian government agencies.

25% of employees use the same password for every account (TechRepublic)

Of those, 81% say they don't password protect their phone or computer at all, according to an OpenVPN report. Here's how to improve employee cyber education.