The Western Australian auditor-general’s team recently found 115 separate information security failures across 13 databases owned by publicly funded bodies.
The auditors broke their work down into seven different ways of putting sensitive data at risk. The seven organisations they looked at, including departments, statutory bodies and universities, demonstrated all seven between them.
1. Use really, really stupid passwords
The simplest and easiest way to fail at security is to leave the passwords for highly privileged accounts as the default, or use something easy to guess.
In one case the auditors guessed two on the first attempt. The passwords were “password” and they used them to find “thousands of highly confidential and sensitive records about individuals including minors which should only be accessible to a small number of authorised staff” as well as “database scripts and system configuration files” that would have allowed further hacking. They copied the files to a USB stick and did it again a week later, confirming nobody had noticed.
Other passwords included “test”, “password1” and “sqladmin” for a Microsoft SQL database administrator. Three-letter passwords like DBA for the “database administrator account” were also found. Some of these powerful accounts are never locked out so attackers can just keep guessing, the report notes. Many of the systems didn’t force admins to change passwords periodically, and some had stayed the same for 12 years.
2. Widen your attack surface
Another way to help the hackers is to give them plenty of different ways to get in by linking things together unnecessarily and giving users access they don’t need.
Test and development databases duplicated data from the live versions in several cases in WA. The auditors found settings “enabled without reason” allowing attackers to extract information from the database, run programs and stage wider attacks on the organisation’s entire network. “Unused schemas and automatic procedures” were also found and can lead to a full breach. The report explains: “Schemas are the ‘blue print’ for how information is structured in a database, thereby increasing the exposure of information to attackers.”
Using the same server for multiple unrelated databases, a reasonably common practice in the WA public sector, also makes snooping easier. On the other hand, “firewalls segregating databases and servers from the rest of the network or other agency networks” reduce the attack surface. None of the audited organisations had those in place.
3. Keep default security settings and excessive privileges
One sure-fire way to fail at cyber security is to shirk “system hardening” activities. The audit found the PUBLIC privileges that extend to all users were excessive in “many” of the databases. In “a small number” this let anyone access other linked databases, which also demonstrates the danger of an unduly wide attack surface.
Alarmingly, the audit team felt the need to point out: “Databases generally come with pre-configured administrator accounts and passwords that are listed in product documentation and widely available on the Internet [so] it is important to change these on installation.”
Another way to defeat your own security is to use admin accounts for general use, which “means that agencies cannot attribute actions to specific individuals or hold them accountable”.
4. Ignore patches and updates
When security flaws are found, patches quickly follow. To fail in this area, just ignore them. The report found: “Only four of the 13 systems reviewed were completely patched. The other nine were missing vendor patches, some dating back to 2010.”
One was never patched and “a low access user” could gain full control of it. Several systems used versions of software so old the makers stopped supporting them several years ago.
5. Treat sensitive, confidential and secret data like any other
Information that is especially important to keep safe should be kept on a secure server and can be protected further with basic methods like encryption. Unfortunately, in the WA public sector: “None of the 13 systems were encrypting sensitive data stored within their databases or on backups stored on tapes and off site. [The audit team] also found inadequate protection of production data found in development and test environments.”
6. Just assume everything is fine
Database admins who don’t take steps to monitor for suspicious activity or identify it after the fact are not doing their jobs properly.
Even with very good security, one should assume it is still possible to be breached, because it very often is. It all depends on who finds new vulnerabilities first. But in WA: “Database object auditing was not active on any of the 13 databases… While some actions such as failed logins were recorded in some cases, auditing was not active on sensitive data stored within the databases.”
7. Ignore suspicious configurations that resemble backdoors for hackers
The WA audit found two strange configurations in state-owned databases that looked just like “backdoors” hackers might have set up. Leaving such things in place is another way to fail at cyber security.
The auditors didn’t conclude these setups definitely were backdoors, just that they could be. Otherwise they’re probably mistakes that were never fixed but nonetheless: “The reasons and real impact of these misconfigurations are not known so are considered to be high risk.”
The seven organisations covered by the audit were Murdoch University, Legal Aid, the Department of Health, Curtin University, the Department of Local Government and Communities, the Drug and Alcohol Office and the Department of the Attorney-General.