Victorian Auditor General finds more than 100 security lapses during audit

Ineffective patching and easily guessed admin passwords used by agencies

Victorian Auditor-General John Doyle's audit of 11 Victorian government agencies has found more than 100 breaches and lapses in information security practices.

According to the report (PDF), entitled Whole of Victorian Government (WoVG) Information Security Management Framework, penetration testing was carried out on the Department of Premier and Cabinet, the Department of State Development, Business and Innovation, the Department of Treasury and Finance, CenITex, the State Revenue Office, Treasury Corporation of Victoria, Victorian Funds Management Corporation, the Department of Human Services and the Department of Justice.

An audit was also conducted of IT Shared Solutions, which provides services for WorkSafe Victoria and the Transport Accident Commission.

Doyle and his team found examples in all 11 agencies of ineffective patching and system configuration issues which could result in systems being exposed to attack.

One agency used a rolling three-month and six-month security patching strategy that could not accommodate urgent patches.

“The biggest impediment to patching appeared to be a lack of resources to test the impact of vendor patches on agency networks and software applications,” read the report.

“This practice is concerning as it does not take into account the implications of the rapidly changing cyber threat environment faced by public sector ICT systems.”

In addition, some agencies were using unsupported operating systems and software.

Administration privileges were poorly managed across almost all agencies. For example, only one agency used an application to manage privileged passwords.

Passwords for privileged accounts used by some agencies were easy to guess by the audit team. For example, one admin password was hacked. This could have given the auditors control of 6000 computers on a network.

A number of agencies used third party service providers for some services. These providers were responsible for allocating and managing passwords.

“This is a risky practice as it relies on the integrity of organisations which the agency cannot oversee,” read the report.

“Where third party providers are used, agencies should retain management and allocation of all passwords.”

Internal security weaknesses were found by the auditors, including the use of an unauthorised laptop on a password controlled network. This allowed testers to access the network and applications with sensitive information.

USB sticks were widely used by agencies. According to the report, there was no ability to detect what data had been copied onto the sticks from the system.

There was also uncontrolled access to social media and email websites.

John Doyle said in a statement that he had written separately to each agency and sought their “urgent attention” in fixing the issues.

“I am pleased to say that a number of more critical findings have already been addressed by some agencies, and I have advised of the practical time frames for addressing the remainder.”

Doyle added that he would be monitoring the situation “very closely”.

“This audit should serve as an important reminder to all government departments and agencies of the need to remain vigilant in monitoring and testing the security of their ICT systems,” he said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia