328 security weaknesses found in Australian local government systems

The computer systems used at 50 Australian local government (LG) entities have been found to contain 328 control weaknesses, and in one case a network password had not been changed since 2002.

The report, carried out by the auditor-general of Western Australia Caroline Spencer, has been submitted to Parliament and focused on the computing environments of 50 entities to determine if they effectively support the confidentiality, integrity and availability of the information they hold.

The audit focused on 6 areas: information security, business continuity, management of IT risks, IT operations, change control, and physical security.

Spencer found that LG entities need to improve their general computer controls. 328 control weaknesses were reported to 50 entities, with 10% (33) rated as significant and 72% (236) as moderate.

“As these weaknesses could significantly compromise the confidentiality, integrity and availability of information systems, the LG entities should act promptly to resolve them,” wrote Spencer.

For 11 entities, a “capability maturity assessment” was performed, which is the most comprehensive information systems audit the authority carries out. None of the 11 entities met the expectations across six control categories, with 79% of the audit results below the minimum benchmark.

Spencer revealed that five of the entities were included in last year’s in-depth assessment and could have improved their capability by addressing the previous year’s audit findings but “did not discernibly do so”.

Given the nature of the findings, the entities have not been identified, although Spencer said this practice may change over time to provide an incentive to public entities to more promptly address identified control shortcomings.

At one entity, the use of privileged access rights to the network were not appropriately restricted and controlled. The entity had not changed the password for the default network admin account since 2002, even though a number of IT staff who knew the password had left.

At another, there were inadequate controls to check the integrity and authenticity of emails. Malicious users could impersonate genuine individuals to gain unauthorised access to systems and information, leaving the entity at increased risk of cyber-attacks. Plus, it emerged staff were using many different cloud storage services to share the entity’s business information, putting its sensitive information at risk.

The report provided six recommendations for each area it focused on and local entities are now expected to prepare an action plan within the next 3 months to address the matters raised in the report.