Seven Western Australian government agencies have been asked to improve their database security after an audit by the state's auditor general, Colin Murphy, found weak passwords, inadequate patching and a lack of control over user privileges.
In the report tabled in parliament today, Murphy said that it audited 13 systems at seven agencies, which included nine Oracle and four Microsoft SQL databases.
The seven agencies were: Murdoch University, Legal Aid, WA Department of Health, Curtin University, Department of Local Government and Communities, Drug and Alcohol Office and the Department of the Attorney General.
“We found that the sampled agencies have not adequately protected information from attackers to prevent unauthorised access and data loss,” said Murphy.
“Sensitive and confidential information is at risk and agencies may not know if or the extent to which data is compromised.”
Most concerning to Murphy was a lack of basic controls over passwords, patching and setting of user privileges. The audit also revealed copies of sensitive information were kept across systems and there were poorly configured databases.
At one of the agencies, the auditors guessed passwords assigned to a number of accounts and were able to gain access to the network.
“The password of two of the accounts was ‘password’ which we guessed on the first attempt. After compromising the first account, we notified the agency and advised them to eliminate the use of this password,” said Murphy.
The auditors used the second compromised account to log on and browse information stored on the network.
The auditors found thousands of highly confidential and sensitive records about individuals including children which should only be accessible to a small number of authorised staff.
It also found database scripts and system configuration files which could help to compromise sensitive databases and systems.
“We then connected a USB device to copy thousands of records off the network without detection. We performed the same process a week later to see if the agency had identified and taken any appropriate action against this kind of data loss – it had not and we were able to perform the same operation again,” Murphy said.
In the report, he said that agencies need to understand the risk profile of information they manage and ensure appropriate controls are in place to protect this information.
For example, agencies should use the principle of least privilege and grant only those privileges needed to perform the business requirements of a role.
“All user accounts [active/locked] should be given strong passwords and set to expire. Agencies should assess, test and deploy vendor security updates in a timely manner to prevent attackers exploiting known security vulnerabilities and assess risks with configuration options on the database and determine if it is actually required to be enabled,” he said.
Murphy also advised government agencies to protect databases by using a number of methods such as encryption, virtual private database or data redaction. If live data is to be used for development purposes, it should be disguised so that it cannot be used inappropriately, he said.