State government agencies still struggling with securing user access
The criticality of financial systems used by government agencies has long necessitated their fortification against insider threats and external threat actors.
Most state and territory governments have a version of a Protective Security Policy Framework (PSPF) that sets information security expectations for all entities. These often lean heavily on the Australian Cyber Security Centre’s (ACSC) Essential Eight controls, defining a minimum set of standards for governance of user and privileged access management and related security protections.
At least four Australian states also publish audits on how financial systems — and sometimes other information systems — match up to expectations and benchmarks.
Year-on-year, the findings of these audits can be repetitively consistent. Agencies often find themselves in rolling, complex uplift programs to improve the application of user access controls to their financial systems, or to other high-risk environments, yet still find it hard to improve the metrics that measure success.
But this year’s reports also uncover some particularly problematic case studies of privilege access management behaviours: from documenting credentials in plaintext, to not reviewing or acting on privileged access logs and repeated failed login attempts, and being unable to contain a proliferation of privileged accounts being set up every time a new system is generally available.
The collective experience across state and territory borders should, at the very least, give agencies and their security teams pause to review identity practices, particularly in relation to privileged access management.
New South Wales
In 2024, nine out of 26 agencies audited “did not effectively restrict privileged user accounts, or did not effectively monitor those accounts,” while eight “failed to effectively review and revalidate user access.” The audit made four high-risk findings, three related to privileged access management. It found one agency kept revoking and reinstating high-level privileged access to a user that didn’t need it, and without getting the necessary approvals. In another incident, undocumented privileged accounts were repeatedly set up during IT projects and then left dormant. One of these accounts allowed unfettered access to a finance system used by multiple agencies. Finally, privileged accounts at one agency were locked following repeated unsuccessful login attempts, but the behaviour was never investigated.
Queensland
The state’s auditor “continues to identify new control weaknesses with the security of information systems” despite prior recommendations on where to improve. It has previously reminded all agencies to “regularly review user access to ensure it remains appropriate” and to “monitor activities performed by employees with privileged access … to ensure they are appropriately approved.” For 2023, the state “frequently [found] that some users are provided with full access to information systems when their job responsibilities do not require it.” Overly-permissive systems administration access provisioned to third-party service providers was also a key concern.
Western Australia
Capability and control assessments of agencies found only 21% of entities met benchmarks in 2022–23, compared to 24% the prior year. Ten “significant” user access issues were identified, along with 108 “moderate” issues that need to be addressed. The WA auditor found that access privileges “were not regularly reviewed”, increasing the risk of both “unintentional or intentional misuse of access”; accounts of former staff were also not disabled “in a timely fashion”; and MFA was either “not used or not adequate.” Several case studies underlined hygiene issues. These include a vendor being given unmonitored “highly privileged access” to a government environment via a generic account; and an agency that stored “the credentials of a highly privileged generic account in clear text in a user manual” with a password that “was short, simple and easy to guess.”
South Australia
The latest audit of eight agencies and 15 key agency financial systems uncovered 49 user access management issues, 11 of them rated “high risk.” User access controls dominated as the type of control with the largest number of issues, and it was second behind patch management in “high risk” findings. One case study identified an authority that “had not reviewed the privileged user access audit logs of its customer relationship management system since it was implemented,” raising the prospect that unauthorised changes to financial data could go undetected. In response, it was recommended that agencies “promptly remove inappropriate user access, perform regular user access reviews and maintain evidence of user access changes” to improve overall posture and reduce the incidence of control deficiencies.
Key takeaways
There’s strong recognition in the government sector of the need to improve privileged account management. This year’s Western Australia Cyber Security Policy, for example, leverages the Essential Eight to require agencies to implement an identity lifecycle management process, follow least privilege principles when granting access to system resources and data, and implement password filtering on all user accounts. Similar requirements also exist in other states and territories.
The challenge is not just having the policies in the first place, but also being able to enforce them, particularly on the agency side. The consistency with which agencies experience user access management issues shows that, without the support of specific tooling, challenges can be obstinately persistent in environments.
Audited agencies are likely to benefit from a heightened internal focus around mapping out financial system access controls, the level of administrative access being granted, and the authentication protection applied to these accounts. Meanwhile, those not subjected to an audit this year are on notice that they may face more stringent checks next year, and should learn lessons from these findings.
While a review of access control and privileged user account management at least once a year is advisable, agencies should prioritise this activity for continuous monitoring, given the current audit landscape. Automating these reviews can allow them to be run more frequently, at a lower cost, and ultimately have less surprises.
Agencies should also work to adopt privilege access management (PAM) technology that is capable of securing every privileged user, asset, and session, that can automatically discover and onboard all privileged accounts, secure access to privileged credentials and secrets, and audit all privileged activities, regardless of whether they are by employees or third-party contractors, especially those with remote access.
|
Phishing-resistant MFA: elevating security standards in the public sector
Phishing remains a significant issue for government agencies, and current MFA solutions often...
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...