Our review did not highlight any systemic or fundamental system authentication control issues for the seven agencies we tested. We did note that the strength of authentication controls applied, including governance and password configuration settings, varied across these agencies and there were recommended areas of improvement. All agencies needed to better define and document the password settings they apply to their Active Directory environments and other business applications. In doing so, they should more fully adopt the guidance available to meet the requirements of the South Australian Cyber Security Framework.
To varying degrees, the Active Directory and application password settings we tested did not align with our recommended baseline settings. We identified weaknesses in user password behaviours, with several commonalties and trends occurring.
Although some agencies have implemented mitigating controls, they will need to consider their ongoing approach to ensure user passwords are strong and more difficult for an attacker to crack. This will help to maintain the security of agency systems and data.