Australian Capital Territory (ACT) Auditor-General Doctor Maxine Cooper’s security audit has found that some ACT government agencies could be vulnerable due to weak passwords, shared accounts and lack of audit log reviews.
The <i>2012-13 Financial Audits</i> report (PDF), tabled this week, found that shared accounts are used on Homenet, a system managed by Housing ACT.
“A generic account is used by database administrators of Homenet to gain access to the underlying database. Generic or shared accounts compromise security because they reduce management’s ability to trace actions of users to a specific person,” read the report.
- Victorian Auditor General finds more than 100 security lapses during audit
- WA Auditor General finds more security gaps
- AFP confirms website was hacked
The audit also found that shared accounts are used to access MyWay, a bus ticketing system which is managed by the Cultural Facilities Corporation. There was no regular monitoring of the shared accounts.
Turning to passwords, Cooper and her team found that the level of password complexity required by the ACT government’s standard is not automatically enforced by the computer system.
“Complex passwords provide a stronger control over access to systems, applications and data compared to simple passwords because they are more difficult to guess or 'crack',” said the report.
The use of complex passwords is not automatically enforced by TM1, a system used by the chief minister to prepare the financial statements of the ACT, or the territory revenue system. Strong passwords are not enforced for Homenet database admins either.
The report also found that periodic reviews of audit logs for systems such as financial management information system, Oracle Financials, are not performed.
“There are no approved policies and procedures which address the performance of such reviews,” the report said.
The audit made a number of recommendations to agencies including:
- Regular review of audit logs for errors and fraudulent changes to systems
- Approved policies and procedures governing user access
- Deleting shared user accounts
- Use of complex passwords to better control access to critical systems.
Follow Hamish Barwick on Twitter: @HamishBarwick