Australia's local governments face more detailed scrutiny of access controls

The local government sector in Australia has long been susceptible to attacks. It is a holder of valuable information on citizens in its various municipalities. The sector also has a broad attack surface, reflecting the wide variety of services it offers and operational sites and assets it oversees, along with the variety of users — both employees and contractors. The attack surface continues to grow as service delivery is increasingly digitised.

The sector’s susceptibility to attack is often linked to the status and effectiveness of security controls that are applied within its technology environment. Each year, state audit offices review councils and their controls, with IT controls increasingly recognised as playing an important part in determining the risk profile of organisations.

This past year, however, these audits took on a different complexion.

The sector was hit with a much more detailed assessment of local government IT controls across the board, courtesy of the modernisation of the ASA 315 Identifying and Assessing the Risks of Material Misstatement auditing standard.

The standard, among other requirements, specifically directs auditors to examine issues of unauthorised access — particularly as it relates to “authenticating users’ access to systems that impact financial reporting” and to the ability of privileged users to make unauthorised system or data changes.

The intent is to better understand controls that are in place to “reduce the risk of users causing intentional or unintentional errors with their privileged access”.

The influence of the modernised standard on this year’s results is flagged by several auditors, including Western Australia and Victoria.

Western Australia, in particular, uncovered concerning levels of administrative privilege in its enhanced IT control checks in that state’s councils. Its detailed findings warrant closer inspection, as it is likely that councils in other states and territories may be similarly impacted by weaknesses not picked up by previous, less-detailed audits.

Western Australia

In 2022, one out of 12 councils met the state’s access management benchmark; a year later, none of the 11 councils assessed were judged to have hit the mark. “Inappropriate or excessive administrative privileges within the finance systems” was a key concern across the board. One entity was found to have granted superuser access to 24 out of 25 finance system users; another “granted domain administrator rights to 45 accounts, 40 of which also had database administrator rights to the finance and payroll system”. The state’s auditors found access wasn’t routinely logged, monitored or reviewed, and MFA wasn’t in place across all accounts.

Victoria

Coming into 2022–23, Victoria had seen the number of user access management-related control deficiencies in local councils increase every year for four years. That trend continued, impacting what appears to be 34 councils, up from 30 the year prior. “User access management and authentication controls reduce the likelihood of unauthorised access to an entity’s systems and underlying data,” the audit noted.

Queensland

The number of Queensland councils with identified weaknesses in information system controls rose year-on-year. This is partly attributable to the change in auditing standards: the harder they looked, the more problems auditors found. The most commonly found issues are with access controls, specifically “inappropriate access levels being assigned to council staff. This means staff can process transactions when they are not authorised to do so,” the auditor found. “This may expose councils to financial loss, unauthorised access to their data and the risk of loss of data.”

New South Wales

The most recent NSW audit shows a concerted effort in the area of privileged access, with a 17% reduction in the number of councils with insufficient controls over privileged accounts. Still, that means 34 councils have gaps to address. Problematically, while the focus was on privileged users, the sector took its eye off periodic access reviews that are designed to “ensure users’ access to key IT systems was appropriate and commensurate with their roles and responsibilities”. In 2022–23, 55 councils did not perform a periodic user access review, compared to 42 in the prior year.

Key takeaways

It’s important to note that not all Australian councils have concerning access management practices. We see this firsthand, where we continue to work with really proactive local governments that have shown themselves to be ‘ahead of the game’ when it comes to addressing cybersecurity risks and embracing industry best-practice frameworks — such as the Essential Eight maturity model — to uplift their controls.

However, councils that are struggling with access control challenges have been put on notice that they face a much more detailed analysis and stringent checks when the next round of audits is performed. If not already, this should be reflected in a heightened internal focus around mapping out financial system access controls, the level of administrative access being granted and the authentication protection applied to these accounts.

While a review of access control and privileged user account management at least once a year is advisable, councils should prioritise this activity as soon as practicable, given the current audit landscape. Automating these reviews can allow them to be run more frequently and at a lower cost.

Councils should also work to adopt privilege access management (PAM) technology that is capable of securing privileges at multiple levels such as privileged users and assets, perform session management and importantly, include automation to discover and onboard all privileged accounts, secure access to privileged credentials and secrets, and audit all privileged activities. It is also important to look holistically to include controls such as the restriction of admin rights and application control into the same projects to further enhance the security of environments while minimising the resources to manage it.

Through the adoption of these kinds of capabilities, councils can get ahead of the curve on access control, shrinking their threat landscape and better preparing themselves to face more stringent audits.

*Scott Hesford has over a decade of experience in IT security. Before joining BeyondTrust in 2019, he worked as Principal Consultant for CA Technologies and other large enterprises in Australia and New Zealand. A trusted cybersecurity advisor to enterprise customers, his experience spans across several industries such as banking, insurance, energy and utilities, in addition to state and federal governments.

Top image credit: iStock.com/dem10