The Western Australian Auditor-General has revealed he was able to guess passwords for highly privileged database accounts at two of the state's agencies, gaining full access to sensitive information.
Auditor-General Glen Clarke said in a new audit report that changes made using the compromised accounts were undetectable.
The report [PDF] found another application at a third agency that "allowed users to create single character passwords that did not expire".
Two agencies were also found to store unsecured credit card details - one on a network accessible by any user.
The embarrassing breaches are two in a litany of IT security flaws uncovered at seven of the State's departments and agencies.
They included privileged accounts created by former staff that were still active.
"In two agencies we found numerous network and application user accounts with the highest privileges had been created without approval," Clarke said.
"A number of these accounts belonged to former staff.
"At three of the four agencies [we looked at], we found active user accounts belonging to former staff that allowed access to key applications, the network, and databases."
At two of these agencies there was no monitoring or logging of user access. This makes it impossible to know whether unauthorised access or changes to information had occurred."
There were too many other breaches to describe them all. Some included:
Laptops not much better
Part of the report also dealt with lost and stolen laptops and the prevention of information leakage via portable storage devices like flash drives.
On average, 250 laptops were reported stolen every year. Clarke was "reassured" that all agencies required a police report to be filed before they would replace the laptop.
But agencies were exposed for lax practices in making sure information on stolen devices could not be accessed by an unauthorised user.
Three agencies - including the central office of the State's Department of Education - failed basic security tests by giving users full administrative control of their laptops.
Only one agency out of seven - WorkCover - had local firewalls on laptops to protect the device when it connected to a public network.
Four agencies - the Curriculum Council, Department of Water, Department of Commerce and WA Police - had not deployed patches for critical software flaws.
"The Department of Commerce had a security update server configured to manage software patch updates across all laptops, however we found that it had not been functioning properly," Clarke said.
But WA Police won praise for establishing control mechanisms for portable devices including flash drives and for having policies and procedures governing their use. They had also issued encrypted drives to all staff.
Clarke believed his report should be a "wake-up call to Government agencies, particularly those that handle personal and sensitive information".
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.
