Keystart Housing Scheme Trust uses the Keysmart system to manage home loan enquiries, application processing, broker commissions and loans. The system stores confidential information including loan applicants’ proof of identity, bank account details, marriage status and proof of employment.
Keysmart achieves its purpose, enabling Keystart Housing Scheme Trust to manage the operations of its business. However, to better protect customers’ personal and credit information, Keystart needs to enhance the security of the system. This includes better user access management, stronger passwords and regular software updates.
Keystart was established in 1989 by the Western Australian government to provide secured and low-deposit home loans to Western Australians. Keystart assesses, approves, manages and discharges its home loans using the Keysmart application.
Applicants can submit their loan applications to Keystart in person at an office location or online. They can also use a broker, who can enter the loan on the applicants’ behalf using the Keysmart broker portal.
Loan applications include personal information such as proof of identity, financial statements, marriage status and proof of employment. Once the loan is finalised Keystart uses Keysmart to manage the life of the loan and pay broker commissions. Approved applicants can also view their loan activity through the Keysmart client portal.
The Keysmart application was developed in-house. In 2017, it was used to process an average of 306 applications and approve about $62.6 million worth of loans each month.
Inadequate user management and weak passwords increase the risk of unauthorised access to loan information
Keysmart holds confidential information on loan applications and approvals and good user access management is critical for its protection. Keystart has a user access management policy describing the creation, change, removal and review of user accounts. However, we found the policy to be inadequate as it does not apply to privileged, system and database accounts. Further, the user account review process does not state when and how the reviews will be undertaken, and by whom.
We also identified:
- Unused system accounts – 32 system accounts that had not been used for 1 to 8 years. These accounts increase the opportunities available to an attacker to gain access to information.
- Weak database passwords – 20 accounts with easy to guess passwords. Fifteen of these were default passwords for disabled system accounts. These accounts generally have higher privileges and their default passwords are well known. It is good practise to change the default password for these accounts even though they are disabled. In addition, we found 11 accounts that have not had their passwords changed for over 6 years. Without appropriate database security there is an increased risk of unauthorised access to information.
Vulnerabilities exist due to inadequate configuration of software updates
Keystart has a vulnerability management process in place, however we identified vulnerabilities on a number of servers and workstations, including the Keysmart application and its underlying database.
We identified 4 critical and 53 high rated vulnerabilities which may be exploited to gain access to systems and disrupt business operations. This was mainly due to inadequate configuration of applied patches making them ineffective. Without effective vulnerability management there is an increased risk to the confidentiality, integrity and availability of Keystart systems.
- identify and appropriately disable or remove any system accounts that are no longer required
- review and enhance its access management procedures to include user, privileged, service and database accounts
- review and enhance its technical vulnerability management process to apply software updates in a timely manner and in accordance with vendors’ recommendations.
Keystart appreciates the importance of having adequate controls in place for corporate applications to protect information assets in the course of operational activities. As such we take the findings seriously and accept that there are some controls that need to be improved.
Keystart fully accepts:
Recommendation (1): Keystart has amended policy and procedure to include system accounts as part of its regular user audit, and has completed an audit under new policy.
Keystart accepts in part:
Recommendation (2): User access management procedures are already in place to review user and privileged accounts. As with recommendation (1), the policy and procedure has now been amended to include service and database accounts.
Recommendation (3): Keystart’s compensating controls would minimise the impact of exploited vulnerabilities, in addition Keystart already applies software updates in a timely manner, however, acknowledges that some secondary actions to enforce those updates were not actioned – this has been addressed and corrected.