WA Govt departments weak to social engineering: Auditor

Payment compliance also lacking.

Five Western Australian Government departments have failed to detect or stop social engineering attacks used in a test of cybersecurity systems by the state's Auditor-General.

The fourth such audit (pdf) of departmental cybersecurity — each targeting different agencies — also found those departments directly handling payments online had so far failed to clear industry compliance for credit card use.

Social engineering and basic security checks on systems meant the auditor's office was able to exploit vulnerabilities discovered in systems for the state's Department of Child Protection, Department of Finance, Department of the Premier and Cabinet, WA Police and the training college Polytechnic West.

In one experiment first held in its 2011 audit, auditors left unmarked USB devices with "non-malicious code" at the agencies, with the ability to 'phone home' to the Auditor-General when they were plugged in to a computer by an unsuspecting staffer.

"USBs were activated by several agencies," the report stated, noting employees were "still unaware of social engineering techniques which are designed to undermine agency security controls".

In a separate spear phishing attack — targeted at one, unnamed agency — the audit's office found the malicious email was forwarded to several departments within a day of it being sent.

"Once again, this demonstrated that employees were not familiar with the dangers of clicking on links and in this test we were able to escalate access to those agencies without their knowledge," the audit noted.

The biggest block to the Audit office's break-in attempts appeared to be the whole-of-government internet service provider ServiceNet, which provided an effective first layer of defence to most of the attacks attempted by the Auditor-General.

However, when these protections were lifted by ServiceNet, "we were able to easily run scans and quickly obtain information regarding agency networks in order to escalate our attacks".

"None of the agencies we tested had appropriate systems or processes in place to detect or respond to a cyber attack," the audit stated.

The auditor noted, however, that its security tests "were not sophisticated and we did not fully explore all identified vulnerabilities".

Overall, the Auditor-General noted a "slight improving trend" in cybersecurity measures over the last four years, an improvement the report largely attributed to more comprehensive security measures put in place by ServiceNet.

"While the improving trend is encouraging, 42 percent of agencies are still failing to meet our benchmark in at least one of the general computer control areas we audited," the report noted.

Only one department, Child Protection, responded to the audit report at the time of its publication, noting it remained "vigilant in protecting information from unauthorised use and will continue to strengthen security controls".

PCI compliance lacking

An accompanying audit of payment processing systems at nine separate departments also found a paucity of compliance with the Payments Clearing Industry (PCI) security standards.

Of those audited, none of the four departments that technically required compliance — due to direct handling of payments and holding of cardholder data — currently boast the capability.

The banks associated with those organisations and departments that do not fully meet PCI standards risk a $100,000 monthly fine, often passed onto the uncompliant culprit.

Though the auditor found no evidence of compromised cardholder data during tests, "we identified opportunities for all agencies to improve risk management, network security, policies and overall security of their general computer systems".

An analysis of government departments' online risk management strategies, security policies and underlying infrastructure found four of the nine agencies audited required compliance with Payment Credit Industry (PCI) requirements, but did not fully meet the standard.

"By electing to have an online payment system, the agencies are automatically exposed to the risk of cardholder data being compromised," the report noted.

"If an agency chooses to manage cardholder data through its own server, then it must address the added risks of that approach by ensuring its computing environment, or the environment of a site hosted by a third party, meets required security standards."

Three of the four departments criticised for lack of compliance — the Department of Transport, Department of the Attorney-General and geographic data agency Landgate — noted they were progressing with PCI compliance.

However, a statement from Transport said the more recent PCI-DSS framework "raised the standard substantially" and was instead working with industry in "examining alternatives available and achieving certification".

"In the interim, gap analysis has been completed and new processes are in place and we are confident that full personal information of customers is not stored by [Transport] and hence risk reduced substantially," it said.