A single NSW government agency created three undocumented privileged accounts for two IT projects it ran, one of several dubious practices uncovered in a yearly cross-agency examination.
The analysis also found privileged accounts at a second agency were peppered with login attempts until they locked, but that no internal investigation took place.
The two case studies come from an annual audit [pdf] of IT and other controls in place at dozens of NSW government agencies, which regularly picks up control deficiencies.
In the first instance, a staff member working on a system upgrade created an unsanctioned account giving them full access to the agency’s main finance system.
It was only disabled several months later after being flagged by management.
Within another business unit in the same agency, a further two privileged accounts were created - but also not documented - during an IT system change.
“We recommend the agency promptly remove the privileged access for former project staff and vendor staff who no longer require it,” the NSW auditor said.
In the second case study, an unknown party or bot tried repeatedly to access privileged accounts, only for the accounts to be locked due to repeated unsuccessful attempts.
While that stopped the unknown party, the agency was found not to have further investigated the incident.
However, the auditor did note that its own investigation found "the attack was not sophisticated, and did not appear to use any information specific to the agency."
Out of 26 agencies investigated, nine were found to be neither restricting privileged user accounts nor monitoring the accounts.
One of these agencies failed to remove a former user’s access after two years despite repeated requests.
Two other agencies also failed to disable all access once users had left the organisation.
In the auditor's words, the gaps risk “inappropriate and unauthorised access to business systems” and could expose “agencies to the risk of fraud or cyber attacks”.
