Introduction
Western Australian government agencies collect and store a significant amount of sensitive and confidential information. The public rightly expects agencies to protect this information from unauthorised access. Effective management and use of passwords remains a vital part of information security. However, since 2004 our information systems audits have consistently raised issues around agency access controls, particularly passwords.
The objective of this audit was to determine if selected government agencies are using good practices to manage network passwords, to protect the information they hold.
Conclusion
Over one quarter of the enabled network accounts we looked at had weak passwords at the time of audit. In a number of instances these accounts are used to access critical agency systems and information via remote access without any additional controls.
Generally, agencies lacked technical controls to enforce good passwords across networks, applications and databases, and did not have guidance about good practice for password management.
Background
Agencies have a diverse range of users, applications and services with different purposes and security requirements. These require different types of accounts or identities to access information from inside and outside agencies. For example:
- Employees: Normal user accounts for staff to perform day-to-day tasks
- Partners: contractors and vendor support staff
- Privilege Accounts: Individuals with high level administrative privileges such as system, network and database administrators
- Shared and Generic Accounts: Default accounts and vendor accounts that are not specific to an individual and where passwords are shared with other users
- Services and Applications: Accounts used by operating system services and applications such as web servers, email services and backup accounts.
Passwords are still the main control agencies use to protect information systems and are an important security mechanism for all account types. Good password management practices combine people, process and technology to secure the use and management of passwords. Creating complex, hard to guess passwords requires at least 3 of the following categories:
- uppercase
- lowercase
- digits (0 through 9)
- non-alphanumeric characters (e.g. !, $).
However, passwords that meet complexity requirements, may still be considered weak if they use common variations of words or keyboard patterns or are included in publicly available password dictionaries.
The importance of password security is well known. The July 2018 Notifiable Data Breaches Quarterly Statistics Report[1] stated that 59% of data breaches involved malicious attacks, with most the result of compromised credentials. Phishing and brute force accounted for 43% of the attacks. Another global report[2] linked 81% of hacking-related breaches to stolen or weak passwords. Globally it is estimated that each data breach cost an average of US$3.62m[3].
What we did
As part of our annual information systems audits, we assessed 17 agencies’ processes and controls in place to manage passwords and privileged accounts. We processed about 520,000 enabled and disabled accounts across agencies’ Active Directory (AD) environments by collecting the AD information using encrypted USBs. We analysed and disposed of the information in a secure offline environment. In performing this work, we:
- assessed encrypted passwords from each agency’s AD environments. We also assessed old disabled accounts to understand password composition trends over time. Where possible, we used data from the AD to determine the account purpose and level of privilege for each of the accounts
- used a password cracking method known as Dictionary Attack and a list of well-known or commonly used passwords such as ‘Password1’ and ‘Welcome123’. We compiled the list from publicly available password dictionaries used for penetration testing assessments. Weak passwords not on our list were not identified as part of our testing
- reviewed agency policies and security awareness training
- provided agencies with information so they can implement strong passwords for identified weak accounts.
[1]https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics/notifiable-data-breaches-quarterly-statistics-report-1-april-30-june-2018.pdf
[2] https://www.verizonenterprise.com/resources/reports/2017_dbir_en_xg.pdf