9% of ACT Govt servers running outdated OS

Around 9% of ACT Government servers are still running outdated, unsupported operating systems and major departments still lack a unified patch management strategy.

These are among the findings of the latest financial audit into ACT computer information systems completed by the ACT Audit Office.

The report found that while the percentage of servers using unsupported operating systems fell from 32% in 2015–16 to 9% in 2016–17, “the continued use of unsupported operating systems on servers is a risk to the security and performance of the ACT Government network including the applications on the network”.

Compounding the territory’s security risks, the audit found that of the 24,000 active user accounts on the ACT Government network, 23% had not been used for at least three months.

The Audit Office report [PDF] notes that a review of inactive accounts is underway, but had not been completed at the time of the audit.

Around 5.2% of active accounts are generic, shared accounts, a number of which had not changed their passwords for a number of years, despite the ACT Government password standard requiring a new password every 90 days.

In addition, the audit found that while the Chief Minister, Treasury and Economic Development Directorate maintains a sound approach to patching operating systems for the shared ICT services platform, there is no defined patch management strategy that sets out a planned approach for patching applications.

In addition, there are no routine scans for critical applications to identify security vulnerabilities. The agencies also do not have an application whitelisting strategy for servers or desktops operating on the network.

The audit also found that 10 systems identified by ACT Government agencies have not been duplicated off-site, leading to a higher risk that these systems will not be available following a major incident or outage. But this was down from 23 systems during last year’s audit.

The report also makes 10 recommendations, ranging from obtaining vendor support for outdated operating systems and performing penetration testing of externally hosted websites to automatically disabling accounts that have not logged on in 90 days and removing all shared user accounts when possible.

Follow us and share on Twitter and Facebook