An audit conducted by the Australian National Audit Office (ANAO), has concluded that brute force attacks could result in compromising about 20 per cent of the passwords of government agencies in Australia.
The ANAO conducted the audit “The Protection and Security of Electronic Information Held by Australian Government Agencies” to assess the effectiveness of Australian Government agencies’ management and implementation of measures to protect and secure their electronic information, in accordance with Australian Government protective security requirements.
ANAO selected four agencies – the Australian Office of Financial Management (AOFM); ComSuper; Medicare Australia; and the Department of the Prime Minister and Cabinet (PM&C) for the audit.
Overall, the audit concluded that the measures examined in the audited agencies to protect and secure electronic information were generally operating in accordance with Government protective security requirements.
However, the ‘brute force’ test resulted in about 20 per cent of passwords being compromised in each agency. The audit report states:
“Of more concern was that in three of the four agencies audited, the test compromised some administrator and/or service account passwords. As outlined above, these types of accounts have a high level of access to agencies’ ICT systems. If an attacker managed to gain access to an agency ICT system by cracking an administrator or service account password, there could be serious consequences for that agency’s security.”
“Software designed to ‘crack’ passwords is freely available on the Internet, and attackers may use this software in an attempt to gain access to an agency ICT system. The Information Security Manual states that a simple six?letter password can be cracked in minutes. Passwords with at least seven characters, with a combination of upper and lower case letters, numbers and special characters, have a much greater resistance to such attacks. Therefore it is critical that agencies have an appropriate password policy that is consistently implemented, in order to manage the risk of attack from an external source.”
ANAO has made the following recommendation:
“To reduce the risk of attackers gaining access to privileged access accounts, the ANAO recommends that agencies review the passwords and associated polices that have been set for administrator and service accounts, and where required, set password complexity requirements that are commensurate to the level of risk associated with the level of system privilege”.
It is clear that the audit report has underscored the importance of two things:
- Creating an appropriate password policy and consistently enforcing it across the organisation
- Proper user access management – enforcing effective access controls to systems, granting and removing access to system administrator privileges
Time and again, we have also been highligting the significance of the above aspects in this column. Creating and enforcing a password policy would be cumbersome, when done manually. Automating the entire life-cycle of privileged password management is the need of the hour.
One of the effective ways to perfectly achieve this is to deploy an Enterprise Password Manager like ManageEngine Password Manager Pro.
A secure vault for storing and managing shared administrative passwords and digital identities, Password Manager Pro helps controls access to privileged passwords, eliminate password fatigue and security lapses, achieve preventive and detective security controls, meet security audits and improve IT productivity.
White Paper
Also, checkout this white paper “Controlling Privileged Access” which discusses the issues related to uncontrolled privileged access and the ways to tackle the challenges.
Bala