WA Auditor General report finds state entities still don't get infosec
The Auditor General of Western Australia has again called on government entities to up their information security practices, with a new report finding, in some cases, an absence altogether of infosec polices.
In the annual Information Systems Audit Report [PDF] Auditor General Caroline Spencer details the results of the 2018 probe of government entities, looking to determine whether controls "effectively support the confidentiality, integrity, and availability of information systems".
The probe, covering infosec, business continuity, management of IT risks, IT operations, change control, and physical security, found 547 issues across 47 state government entities. With five entities outsourcing their capability assessments, and three disappearing due to machinery-of-government changes, the report speaks to 39 entities.
With a scale ranging zero to five, the Auditor General expects state entities to hit at least a three, which sees them having documented and communicated processes that are mandated, and possessing standardised procedures that are not necessarily sophisticated but are the formalisation of existing practices.
Comparing the results to last year, the report shows a decline in the percentage of entities rated at three or above in four of the six categories. Only four entities -- the Department of the Premier and Cabinet, Racing and Wagering Western Australia, Western Australian Land Information Authority, and Curtin University -- have passed all six categories consistently for three years or more. The probe is in its eleventh year.
Only 47% of entities met the Auditor General's benchmark for effectively managing information security in 2018. This represents a 3% decline from 2017.
"It is clear from the basic security weaknesses we identified that many entities lack some important security controls needed to protect systems and information," the report says. "The trend across the last 11 years shows little improvement in entities' controls to manage information security."
In addition to infosec policies either not existing, being out of date, or not approved, weaknesses the probe found echoed many of those found in the past, including easy to guess passwords for networks, applications, and databases, such as the use of "Password" or "Password1".
At one entity, the passwords were found to be stored in plain text on the shared network drive and included database and server account credentials for a "critical system".
In addition, the report highlighted a lack of processes to upskill staff in information security; no infosec awareness programs for staff; there was instances of entities not reviewing highly privileged application, database, and network user accounts; and a lack of processes to identify and rectify security vulnerabilities within IT infrastructure.
Sharing a case study of an unnamed government entity, the Auditor General said it found that the entity's network and IT systems were vulnerable due to lack of anti-malware and intrusion detection/prevention controls, and missing security patches.
The entity had also not patched WannaCry vulnerabilities for over five months, and did not have a process to patch Linux environments with missing patches dating back to 2013.
Many entities were found to not require additional controls such as multi-factor authentication to access critical systems in the cloud, including payroll and those containing financial information. Some entities did not require multi-factor authentication for remote access.
Where the management of IT risks was concerned, weaknesses the Auditor General found included: Risk management policies in draft or not developed; inadequate processes for identifying, assessing, and treating IT and related risks; and risk registers not maintained, for ongoing monitoring and mitigation of identified risks.
"Entities need to ensure that IT risks are identified, assessed and treated within appropriate time frames and that these practices become a core part of business activities and executive oversight," Spencer said.
The audit of IT operations unveiled weaknesses such as: IT strategies not in place; no logging of user access and activity; no reviews of security logs for critical systems; access still granted to former staff; a lack of policies and procedures, and weak governance over IT operations; and even the inability to access IT equipment.
Physical security investigations also found many entities did not monitor staff and contractors' access to computer rooms, nor did they have visibility over their comms room where backups and temperature controls were concerned.
Applications in the spotlight
The first half of the report details the results of the Auditor General's audit of key business applications at four public sector entities. The applications under the microscope were: The Public Sector Commission's Recruitment Advertisement Management System (RAMS), Horizon Power's Advanced Metering Infrastructure, the Office of State Revenue's Pensioner Rebate Scheme and Exchange, and the New Land Register under the care of the Western Australian Land Information Authority.
The investigation found that all four had weaknesses, with the most common ones relating to poor contract management, policies, procedures, and information security.
RAMS was found to have contained software components that are no longer supported by software vendors, with one component possessing known security vulnerabilities. Disaster recovery had also not been tested since 2015.
Horizon Power was asked by the Auditor General to move manual processes to a digital solution, review and implement appropriate network and database security controls, review and implement appropriate user access management practices, and enhance its vulnerability management process to include third-party applications.
State Revenue was found to have inadequate user access controls and reviews, with the probe uncovering that a large number of users have access to unprotected sensitive information.
Similarly, there were 10 database accounts with easy to guess passwords, and 70 accounts had not changed their passwords for over 12 months -- for seven accounts, it had been over a year.
Lastly, the New Land Register possessed weaknesses such as credit card information at risk of exposure.
"Landgate is in breach of its own ICT Acceptable Use Policy which prohibits credit card details being stored using insecure methods, such as email. We found payment forms containing credit card information stored in long term backups without appropriate masking of the details," the report says,
As a result, the Western Australian Land Information Authority was asked to review its access policies, procedures, and controls to ensure they are implemented effectively by July 2019.