Poor password practices, security vulnerabilities identified.
“This indicates that merely applying these parameters is insufficient to guard against inappropriate access to networks and systems,” the report states.
The password ‘Password123’, for instance, appeared in 1464 accounts, followed by ‘Project 10’ (994 accounts), ‘support’ (866 accounts), and ‘password1’ (813 accounts).
Passwords constructed using a combination of seasons and dates also made up more than 20 percent of the weak passwords.
Poor password practices also varied between agencies, with one unnamed agency responsible for 56 percent of the weak passwords identified.
Agencies were also found to lack the necessary “technical controls to enforce good passwords across networks, applications and databases”, with no guidance about good password management practices.
“We found most agencies do not guide or support users to securely store and manage passwords,” the report states.
But with “at least 12 of the 17 agencies did not have multi-factor authentication as an additional layer of security for key systems that are accessible via remote access”, most users have to write down multiple passwords to remember them.
“Relying only on passwords leave these key systems vulnerable to attacks and increase the risk of unauthorised access,” the report states.
“This risk was realised in 2017 when North Metropolitan TAFE reported a hacker had gained unauthorised remote access to their network and encrypted password hashes.”
The audit office has recommended that the Department of Premier and Cabinet “provide guidance to agencies on ways to better manage identifies and access”, to which the department has agreed.
A remodelled Office of the Government Chief Information Officer was recently handed a stronger remit to address poor public sector infosec practices identified by last year’s audit report.
The new Office of Digital Government will contain a dedicated cyber security team focused on developing government-wide cyber security initiatives.
DPC said it has already engaged the 17 agencies and requested a status of their progress with the implementation of the recommendations.
Key business systems at risk
The audit also reveals control weaknesses across key business applications at five agencies, including the Department of Health’s Patient Medical Record System and WA Electoral Commission’s Election Management System WA (EMSWA).
“All 5 applications had control weaknesses with most related to poor information security and policies and procedures,” the report states.
“We also found issues with controls that aim to ensure the applications function efficiently, effectively and remain available.”
The Patient Medical Record System, for example, has been identified as having security vulnerabilities that “have the potential to expose confidential patient information to inappropriate access and misuse”.
Similar issues were also identified in the EMSWA that “may compromise the security and integrity of sensitive data, including voter identity details”.
These issues largely stem from administrator and database account passwords that had “not been changed for over two years”, made worse by the fact sensitive personal data isn’t protected by encryption.
Confidential personal information was also found to have been used in the test environment.
“We found that confidential personal information of voters from the EMSWA live system is copied and used in the test environment which does not have the same level of security,” the report states.