State government agencies still struggling with securing user access

The criticality of financial systems used by government agencies has long necessitated their fortification against insider threats and external threat actors.

Most state and territory governments have a version of a Protective Security Policy Framework (PSPF) that sets information security expectations for all entities. These often lean heavily on the Australian Cyber Security Centre’s (ACSC) Essential Eight controls, defining a minimum set of standards for governance of user and privileged access management and related security protections.

At least four Australian states also publish audits on how financial systems — and sometimes other information systems — match up to expectations and benchmarks.

Year-on-year, the findings of these audits can be repetitively consistent. Agencies often find themselves in rolling, complex uplift programs to improve the application of user access controls to their financial systems, or to other high-risk environments, yet still find it hard to improve the metrics that measure success.

But this year’s reports also uncover some particularly problematic case studies of privilege access management behaviours: from documenting credentials in plaintext, to not reviewing or acting on privileged access logs and repeated failed login attempts, and being unable to contain a proliferation of privileged accounts being set up every time a new system is generally available.

The collective experience across state and territory borders should, at the very least, give agencies and their security teams pause to review identity practices, particularly in relation to privileged access management.

New South Wales

In 2024, nine out of 26 agencies audited “did not effectively restrict privileged user accounts, or did not effectively monitor those accounts,” while eight “failed to effectively review and revalidate user access.” The audit made four high-risk findings, three related to privileged access management. It found one agency kept revoking and reinstating high-level privileged access to a user that didn’t need it, and without getting the necessary approvals. In another incident, undocumented privileged accounts were repeatedly set up during IT projects and then left dormant. One of these accounts allowed unfettered access to a finance system used by multiple agencies. Finally, privileged accounts at one agency were locked following repeated unsuccessful login attempts, but the behaviour was never investigated.

Queensland

The state’s auditor “continues to identify new control weaknesses with the security of information systems” despite prior recommendations on where to improve. It has previously reminded all agencies to “regularly review user access to ensure it remains appropriate” and to “monitor activities performed by employees with privileged access … to ensure they are appropriately approved.” For 2023, the state “frequently [found] that some users are provided with full access to information systems when their job responsibilities do not require it.” Overly-permissive systems administration access provisioned to third-party service providers was also a key concern.

Western Australia

Capability and control assessments of agencies found only 21% of entities met benchmarks in 2022–23, compared to 24% the prior year. Ten “significant” user access issues were identified, along with 108 “moderate” issues that need to be addressed. The WA auditor found that access privileges “were not regularly reviewed”, increasing the risk of both “unintentional or intentional misuse of access”; accounts of former staff were also not disabled “in a timely fashion”; and MFA was either “not used or not adequate.” Several case studies underlined hygiene issues. These include a vendor being given unmonitored “highly privileged access” to a government environment via a generic account; and an agency that stored “the credentials of a highly privileged generic account in clear text in a user manual” with a password that “was short, simple and easy to guess.”

South Australia

The latest audit of eight agencies and 15 key agency financial systems uncovered 49 user access management issues, 11 of them rated “high risk.” User access controls dominated as the type of control with the largest number of issues, and it was second behind patch management in “high risk” findings. One case study identified an authority that “had not reviewed the privileged user access audit logs of its customer relationship management system since it was implemented,” raising the prospect that unauthorised changes to financial data could go undetected. In response, it was recommended that agencies “promptly remove inappropriate user access, perform regular user access reviews and maintain evidence of user access changes” to improve overall posture and reduce the incidence of control deficiencies.

Key takeaways

There’s strong recognition in the government sector of the need to improve privileged account management. This year’s Western Australia Cyber Security Policy, for example, leverages the Essential Eight to require agencies to implement an identity lifecycle management process, follow least privilege principles when granting access to system resources and data, and implement password filtering on all user accounts. Similar requirements also exist in other states and territories.

The challenge is not just having the policies in the first place, but also being able to enforce them, particularly on the agency side. The consistency with which agencies experience user access management issues shows that, without the support of specific tooling, challenges can be obstinately persistent in environments.

Audited agencies are likely to benefit from a heightened internal focus around mapping out financial system access controls, the level of administrative access being granted, and the authentication protection applied to these accounts. Meanwhile, those not subjected to an audit this year are on notice that they may face more stringent checks next year, and should learn lessons from these findings.

While a review of access control and privileged user account management at least once a year is advisable, agencies should prioritise this activity for continuous monitoring, given the current audit landscape. Automating these reviews can allow them to be run more frequently, at a lower cost, and ultimately have less surprises.

Agencies should also work to adopt privilege access management (PAM) technology that is capable of securing every privileged user, asset, and session, that can automatically discover and onboard all privileged accounts, secure access to privileged credentials and secrets, and audit all privileged activities, regardless of whether they are by employees or third-party contractors, especially those with remote access.

*Morey Haber is the Chief Security Advisor at BeyondTrust and has more than 25 years’ IT industry experience. During this time, he has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. He currently oversees BeyondTrust security and governance for corporate and cloud-based solutions.

Top image credit: iStock.com/phakphum patjangkata