'Surprise!' West Oz gummint is hopeless at information security

Western Australia's auditor general is blinking in disbelief, after an audit of the state's password practices turned up just how many people use bad passwords.

Yes, friends, password123 and abcd1234 remain popular among government employees, and the agencies covered by the audit don't block them.

Yesterday, the office tabled its annual report into information systems security in WA's parliament. In the report's introduction, auditor general Caroline Spencer wrote: “Common weaknesses across all our information systems audits indicate agencies are not taking risks to information systems seriously enough. Most of the issues raised can be easily addressed and it appears that risks are simply not properly understood. They are certainly not being effectively managed.”

"Most of the issues raised can be easily addressed and it appears that risks are simply not properly understood"

Spencer added that infosec is “is a key business risk that has to be closely monitored and appropriately managed”.

The audit covered 47 agencies, with 17 agencies singled out for a look at their password practices, and also examined the controls surrounding five key business applications – the Department of Health's patient medical record system, the Department of Mines and Industry's Tenancy Bonds Management System, the Office of State Revenue's First Home Owner Grant Online system, the state's Election Management System, and the Keysmart system that manages the government's home loan information.

The password audit didn't just turn up huge problems on internal systems: the report says auditor general staff logged in as administrator to an agency's Web-facing system “using using an easily guessed password, Summer123”.

Here's the top-ten horror passwords from the report:

“Over one quarter of the enabled network accounts we looked at had weak passwords at the time of audit”, the report said.

To test the passwords, the auditor general's staff compiled a dictionary of common weak passwords from pentest resources, and tested those against 520,000 current and disabled accounts on WA government systems.

If passwords are the shot, the chaser is even worse: the auditor general's review of key state government applications turned up an IT chamber of horrors.

The Department of Health, for example, is spending AU$20 million to digitise patient records, but hasn't decided whether the application should be rolled out state-wide – because the department “does not know if the vendor is effectively delivering the Application and how it is tracking against the $20 million contract”.

Although the system is supposed to reduce reliance on paper records, the report said that's not happening. For example, because disk storage is in short supply, medical records are getting scanned at low resolution, and the paper records are then being sent offsite for archival storage.

The storage shortage also causes outages when disks fill up, meaning people can't access the stored records and can't scan new records.

Vulnerability management was pretty much absent, the audit found: a scan of the application servers turned up 54 vulnerabilities with a critical rating, and 102 rated high, “as a result of software updates that had not been applied”.

Other applications covered in the audit fared little better, but the state's election management system deserves a special mention.

From the report: “confidential information is at risk due to insufficient password controls, unencrypted databases and minimal tracking or monitoring of changes made to the data. The availability of the system is also at risk due to a lack of documented and tested disaster recovery plan”.

The state has previously been given a fail-mark on infosec in 2012 and 2016. ®