50 Local Australian Government Systems Found to Have Significant Digital Weaknesses
Over 328 Control Weaknesses Were Highlighted in a Report that Analysed the Computer Systems Used at 50 Local Government Entities.
More than 328 control weaknesses were highlighted by the Auditor-General of Western Australia on Wednesday in a report that analyzed the computer systems used at 50 local government entities.
Auditor General Caroline Spencer decided against disclosing entity names and specific systems but they were all included in the Local Government General Computer Controls report.
Spencer insisted that “in the case studies are real-life examples of how extremely poor general computer controls can result in system breaches, loss of sensitive and confidential information and financial loss” […] these “serve as important reminders of the need to remain ever vigilant against constant cyber threats”.
The audit itself was run on 11 entities and none of them were able to meet minimum targets of capability maturity. Other 39 entities were also audited and the General Auditor conducted general computer controls. The controls probed Information Security, management of IT Risks, IT Operations, business continuity, IT Operations, physical security, and change control.
33 of the 328 weaknesses found were rated as significant and 236 as moderate. Almost half of all issues revolved around information security, just as it happened the year before.
The report also goes to show that “poor controls in” […] critical “areas left systems and information vulnerable to misuse and could impact critical services provided to the public. […] Five of the entities were also included in last year’s in-depth assessment and could have improved their capability by promptly addressing the previous year’s audit findings but, overall, did not discernibly do so.”
The controls identified a case of a phishing attack where credentials of a user’s account were stolen but the systems or the employees were not able to detect, albeit to identify a phishing attack as a cyber-attack threat.
The attack resulted in a fraudulent credit card transaction on the user’s corporate credit card, which was immediately canceled. Further investigation by the entity revealed the attacker downloaded 10GB of entity information in the form of sensitive emails.
Other common weaknesses consisted in the fact that entities did not have policies, procedures, or processes in place to effectively manage or prevent technical vulnerabilities, and were identified such as systems hosting public-facing interfaces that sat on the same network infrastructure and as systems that hosted highly sensitive information.
Also, an IT Risks probing and assessment revealed that the entities in question had no policies and procedures to document, assess, review, and report such IT risks.
Several weaknesses were also revealed in the IT operations department. The weaknesses referred to a lack of user access reviews, lack of incident management procedures, no audit trail for user activity in general, and no specific requirement for IT Staff sharing in the knowledge of sensitive information nor were they required to follow a background check procedure.
At one entity, staff could redirect payments for council rates, infringements, license and application fees to another bank account by changing a file hosted on a shared server,” the report details. “Access to the server was not appropriately controlled because staff used a shared generic account to access and manage the server.
The report came with recommendations – one for each type of security audited for this year. They included the implementation of proper management structures and frameworks, the identification of IT RISKS & frequent patching.