9% of ACT Govt servers running outdated OS


By Dylan Bushell-Embling
Thursday, 01 March, 2018

9% of ACT Govt servers running outdated OS

Around 9% of ACT Government servers are still running outdated, unsupported operating systems and major departments still lack a unified patch management strategy.

These are among the findings of the latest financial audit into ACT computer information systems completed by the ACT Audit Office.

The report found that while the percentage of servers using unsupported operating systems fell from 32% in 2015–16 to 9% in 2016–17, “the continued use of unsupported operating systems on servers is a risk to the security and performance of the ACT Government network including the applications on the network”.

Compounding the territory’s security risks, the audit found that of the 24,000 active user accounts on the ACT Government network, 23% had not been used for at least three months.

The Audit Office report [PDF] notes that a review of inactive accounts is underway, but had not been completed at the time of the audit.

Around 5.2% of active accounts are generic, shared accounts, a number of which had not changed their passwords for a number of years, despite the ACT Government password standard requiring a new password every 90 days.

In addition, the audit found that while the Chief Minister, Treasury and Economic Development Directorate maintains a sound approach to patching operating systems for the shared ICT services platform, there is no defined patch management strategy that sets out a planned approach for patching applications.

In addition, there are no routine scans for critical applications to identify security vulnerabilities. The agencies also do not have an application whitelisting strategy for servers or desktops operating on the network.

The audit also found that 10 systems identified by ACT Government agencies have not been duplicated off-site, leading to a higher risk that these systems will not be available following a major incident or outage. But this was down from 23 systems during last year’s audit.

The report also makes 10 recommendations, ranging from obtaining vendor support for outdated operating systems and performing penetration testing of externally hosted websites to automatically disabling accounts that have not logged on in 90 days and removing all shared user accounts when possible.

Follow us and share on Twitter and Facebook

Related Articles

Adapting to new cybersecurity challenges: a roadmap for Australian government agencies

Given the rise in cyber threats against government networks and critical infrastructure sectors,...

Growing fraud trends in Australian health care

As the healthcare landscape evolves, so do the methods of fraud.

Overcoming the top cybersecurity challenges faced by public agencies

With a new cybersecurity strategy out and the right approach to key challenges, the public sector...

Content from other channels on our network

Zendesk launches AI-powered customer experience solution

How breakfast influences student achievement

Fujitsu establishes security consulting division

Ingram Micro Experience 2024 open for registrations

Secure-by-design software development for digital innovation

The fire on Marley's Hill

Sanctions on Hytera halted by appeals court

MXene-based compound to enable 3D-printed antennas

Long-range drones used to surveil bushfires in NSW

Luxembourg DoD adds satcom ground infrastructure

What factors influence hospital staff retention?

Hospital uses AI model to improve physician–nurse collaboration

Finalists announced for 2024 HESTA Australian Nursing & Midwifery Awards

GenesisCare expands with $35m Northern Beaches cancer centre

In Conversation with Royal Women's Hospital CEO Sue Matthews

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd