ACT Auditor General finds shared accounts, weak passwords during audit

Weak passwords used in a system that prepares the ACT government’s financial statements
ACT Auditor General finds shared accounts, weak passwords during audit

Australian Capital Territory (ACT) Auditor-General Doctor Maxine Cooper’s security audit has found that some ACT government agencies could be vulnerable due to weak passwords, shared accounts and lack of audit log reviews.

The 2012-13 Financial Audits report (PDF), tabled this week, found that shared accounts are used on Homenet, a system managed by Housing ACT.

“A generic account is used by database administrators of Homenet to gain access to the underlying database. Generic or shared accounts compromise security because they reduce management’s ability to trace actions of users to a specific person,” read the report.

The audit also found that shared accounts are used to access MyWay, a bus ticketing system which is managed by the Cultural Facilities Corporation. There was no regular monitoring of the shared accounts.

Turning to passwords, Cooper and her team found that the level of password complexity required by the ACT government’s standard is not automatically enforced by the computer system.

“Complex passwords provide a stronger control over access to systems, applications and data compared to simple passwords because they are more difficult to guess or 'crack',” said the report.

The use of complex passwords is not automatically enforced by TM1, a system used by the chief minister to prepare the financial statements of the ACT, or the territory revenue system. Strong passwords are not enforced for Homenet database admins either.

The report also found that periodic reviews of audit logs for systems such as financial management information system, Oracle Financials, are not performed.

“There are no approved policies and procedures which address the performance of such reviews,” the report said.

The audit made a number of recommendations to agencies including:

  • Regular review of audit logs for errors and fraudulent changes to systems
  • Approved policies and procedures governing user access
  • Deleting shared user accounts
  • Use of complex passwords to better control access to critical systems.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

More about: ACT, Auditor General, Oracle
References show all
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Maxine Cooper, security risks, audits, ACT government
All whitepapers

Connected vehicle tech trial to start trucking on in NSW

Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia