report

Information Systems Audit Report 2018

Tenancy Bonds Management System – Department of Mines, Industry Regulation and Safety

 

Tenancy Bonds pie chart

Introduction

The Tenancy Bonds Management System (TBMS) is used by the Department of Mines, Industry Regulation and Safety (DMIRS) to manage the processing of residential and long stay tenancy bonds. The system stores confidential information including individual’s driver’s licence and banking details.

Conclusion

The TBMS supports DMIRS to manage the lodgement, variation and disposal of tenancy bonds. However, DMIRS’s current security controls are not effective in protecting the confidentiality, integrity and availability of the information it stores.

Confidential tenant information is at risk of exposure due to weak passwords, inadequate user management and poor database management practices. System integrity is also at risk due to missing software updates, insufficient event monitoring, lack of risk assessments, and out of date system support documentation.

Information sharing with third parties is not secure, which we first raised with DMIRS in 2016. This increases the risk of unauthorised access to confidential information and needs to be addressed.

Background

A security bond is an upfront payment made by a tenant to cover any outstanding costs at the end of a tenancy. The bond is held in trust by the Bond Administrator, which is DMIRS. To carry out this role, DMIRS uses the TBMS to maintain proper account and transaction records as required under the Residential Tenancies Act 1987.

Bonds can be lodged with DMIRS, by post, email or in person. DMIRS uses the TBMS to process bond forms and provide workflow, management and reporting functions. It is a custom-built application, developed and maintained by DMIRS.

The TBMS is used by registered real estate agents to transact bonds using the internet portal, BondsOnline. The Magistrates Court also use the system for court ordered bond disposals back to the tenant. In September 2016, it became mandatory for real estate agents to lodge bonds using BondsOnline.

 

 

Each month DMIRS processes an average of:

  • 9,400 bond lodgements, of which around 83% are processed electronically by real estate agents
  • 1,500 variations to bond agreements
  • 8,500 disposals of bond money at the end of a tenancy, of which around 48% are processed electronically by real estate agents.

At the end of September 2017, DMIRS held $353.5 million worth of bonds in trust.

Audit findings

Inadequate access controls increase the risk of unauthorised access or misuse

We found weaknesses with access controls for TMBS. Ensuring users are appropriately authorised and authenticated is vital to the security of the personal information stored within the application. We identified:

  • Weak password configuration – The password configuration for the BondsOnline portal is inadequate and does not meet good practice for minimum length, complexity, ageing and reuse. We found that 10% of the BondsOnline passwords were very weak and there was no account lockout policy. Weak password configuration and a lack of lockout policy make the portal susceptible to password guessing attacks. This could lead to unauthorised access to the application data and allow further exploitation of DMIRS’s IT systems.
  • External user accounts are not well managed – Real estate agents are responsible for managing their own BondsOnline user accounts but overall responsibility for user management lies with DMIRS. While DMIRS manages internal access to the application well, the same controls are not applied to external access by third parties. Around 23% of external BondsOnline user accounts had not accessed the system in over a year. Dormant user accounts increase the likelihood of unauthorised or inappropriate access. For example, staff leaving a real estate agent could use a dormant account to access the application and information.
  • Insecure logins – Information to access the application is not encrypted. This creates a vulnerability that could compromise DMIRS’s other systems.

Security vulnerabilities are not well managed, leaving TBMS exposed to attacks

DMIRS does not effectively protect its systems from the threat of cyber-attacks. Software vulnerabilities can be exploited to gain unauthorised access to sensitive data or interrupt DMIRS’s business. Regular patching and vulnerability scans are important for securing systems, however DMIRS:

  • does not have a vulnerability management policy
  • has not endorsed, and is not following, its patch management procedure
  • is not using its vulnerability scanning software to perform regular scans to identify vulnerabilities in its IT environment to ensure patches are effective.

Our vulnerability scans of the key TBMS servers identified 975 vulnerabilities. Of these:

  • 182 were rated critical and 793 rated high
  • 508 had publicly available exploits on the internet that can be used by hackers to access the servers.

We also found that the server which grants user access to the BondsOnline portal is unsupported by the vendor. The system no longer receives security updates to protect the confidentiality and availability of the system.

The TBMS was last updated in November 2016, in addition, there were a number of patches released by the vendor since January 2015 that have not been applied. These include patches which address known security vulnerabilities. Timely application of patches is important for protecting the database.

Our external vulnerability assessment identified a number of default settings and misconfigurations that weaken the security of the system. These included:

  • the use of a legacy security protocol that has known vulnerabilities
  • the use of encryption algorithms that are weak and known to have been compromised
  • default application settings that make it susceptible to cyber-attacks.

Sensitive data is at risk of exposure due to insufficient security controls

The TBMS stores personally identifiable information of tenants and owners, much of which is confidential. DMIRS’ current security controls are not effective in protecting the confidentiality, integrity and availability of the information it stores. Some of the weaknesses we noted were:

  • Sharing data with third parties – DMIRS shares personal information from the TBMS with a third party using an insecure file sharing portal. The portal does not require a username or password to download information, which is sent in clear text and not secured using encryption. Sharing sensitive information with third parties without adequate controls increases the risk of data theft.

This weakness was first highlighted to DMIRS in our June 2016, Information Systems Audit Report.

  • Insecure access to documents – DMIRS stores documents relating to bonds in its recordkeeping system. These include bond lodgement, variation and disposal documents as well as other communication with tenants and agents. Sensitive information from 100-point identity checks, such as a driver’s licence information, is also stored in the system. Our review of the recordkeeping system identified accounts with inappropriate access to these sensitive documents. Appropriately managing who has access to bond documents within the recordkeeping system is important to reduce the risk of unauthorised access to, or modification of, these documents.
  • Sensitive information is not de-identified – Sensitive information including bank account details are not encrypted within the TBMS database. In addition, DMIRS uses personal information in its development and testing databases, which do not have the same security controls. This data is not de-identified, which if inappropriately accessed, increases the risk of sensitive personal information being misused.
  • Database passwords were easily guessed – We identified 36 accounts with easy to guess passwords for the network systems and the TBMS application. Twenty-one of these are inactive system accounts which have not had their default passwords changed. Four accounts were highly privileged accounts which are often targeted by malicious attacks. Easy to guess passwords are inconsistent with good practices and increase the likelihood of unauthorised access.

Inadequate monitoring means unauthorised access or changes may go undetected

DMIRS does not have a formal policy or procedures in place for the logging and monitoring of key activities in the TBMS. The server which grants user access to the BondsOnline portal is not monitored, and unsuccessful login attempts to the portal are not recorded. Although the TBMS application and supporting infrastructure record many events, these are only reviewed on an ad hoc basis.

Analysis of successful login attempts may provide insight into unauthorised activity such as inappropriate access to information and changes to records. Monitoring failed login attempts could reveal an attempt to break into the system. Without appropriate logging and monitoring policy and procedures DMIRS may not be able to detect unauthorised access or malicious activity.

Information technology risks to the TBMS have not been assessed

DMIRS has not assessed information technology risks to the TBMS application and information. Good risk management enables DMIRS to identify, assess and treat risks in a structured fashion. It also ensures decisions around risk are considered and actioned by suitable levels of governance. Without a risk assessment, senior management are less likely to know if implemented controls are managing the risks to the application within DMIRS’s risk appetite.

In addition, DMIRS has not updated its IT risk register for over a year. An out of date risk register may not represent the current threat and control environment. As a result, DMIRS may not be adequately managing existing and new risks to the application.

DMIRS manages sensitive information and a breach of this may have serious implications for the individuals involved and may also cause reputational damage to DMIRS. To ensure that DMIRS is protecting this information it is essential that risks to the application are regularly considered and controls to mitigate are in place.

Backup testing and updated documentation is required to ensure ongoing and effective support for the TBMS

The TBMS application and information is backed up on a regular basis, but DMIRS does not regularly test these backups. Testing of backups is important to ensure that all the information required to recover the application is being backed up and restoration procedures work as expected.

We also found that while DMIRS has good procedures in place to manage continual enhancements to the TBMS, it does not have updated system support documentation. The documentation contained references to functions that were no longer in use and needs to be updated to reflect changes since the original release of the application.

Up to date documentation is required to effectively support the application and ensure that key application knowledge is not lost. This is particularly important to DMIRS as fixes and enhancements to the application are made by a contractor.

Recommendations

DMIRS should:

  1. review and improve user access controls:
  2. so that application passwords comply with relevant better practice
  3. to periodically review external user accounts and determine if they are still required
  4. to secure access to the application
  • DMIRS response: Agreed
  • Implementation timeframe:
  1. resolved
  2. by September 2018
  3. resolved
  4. review and enhance the process for managing security vulnerabilities and software updates
  • DMIRS response: Agreed
  • Implementation timeframe: by March 2019
  1. implement appropriate controls to protect sensitive information, which may include encryption
  • DMIRS response: Agreed
  • Implementation timeframe: by December 2018
  1. develop and implement logging and monitoring policies and procedures
  • DMIRS response: Agreed
  • Implementation timeframe: by December 2019
  1. conduct an ICT risk assessment for the TBMS application and update the information services risk register
  • DMIRS response: Agreed
  • Implementation timeframe: by November 2018
  1. establish and implement a procedure to routinely test restoration of backups
  • DMIRS response: Agreed
  • Implementation timeframe: by December 2018
  1. review and update application support documentation
  • DMIRS response: Agreed
  • Implementation timeframe: by November 2018.

 

Response from the Department of Mines, Industry Regulation and Safety

Thank you for the opportunity to respond to the Tenancy Bonds Management System audit findings.

The Department of Mines, Industry Regulation and Safety accepts the findings and agree with all recommendations. DMIRS has reviewed its Cyber and Information Management Framework (CISM) and is implementing it across all of DMIRS systems, including the Tenancy Bonds Management System. The CISM covers all aspects of security including password complexity standards and routine audits of business system accounts.

Back to Top