Commonwealth IT systems vulnerable to external attack

Australia's national auditor has found seven of the country's largest federal government agencies are vulnerable to external cyber attacks thanks to weak security provisions.

The Australian National Audit Office (ANAO) assessed the compliance of a select handful of agencies against the mandatory ICT security strategies demanded by Australian Government Information Security Manual - which the Australian Signals Directorate has previously said would prevent at least 85 percent of targeted cyber intrusions if implemented fully.

The mitigation strategies cover application whitelisting, application patches, operating system patches, and minimising administrative privileges.

The Australian Bureau of Statistics (ABS), Customs, the Tax Office, the Department of Foreign Affairs and Trade (DFAT), Human Services, IP Australia and the Australian Financial Security Authority (AFSA) were all subject to the ANAO's scrutiny and rated on their planned compliance state ahead to June 30 2014.

The ANAO expected the agencies would have basic application whitelisting deployed on desktops and servers; policies and procedures in place to patch apps and operating systems (supported by a change management process); as well as effectively managed IT security access controls for network, apps, databases and operating systems.

But the office found that while the audited agencies had reached some level of compliance - mostly regarding insider threats - they had not yet achieved full compliance with all four mitigation strategies, and are not expected to do so by the government’s deadline of mid 2014.

“Based on their stage of implementation of the top four mitigation strategies and IT general controls, the selected agencies’ overall ICT security posture was assessed as providing a reasonable level of protection from breaches and disclosures of information from internal sources, with vulnerabilities remaining against attacks from external sources to agency ICT systems.

“In essence, agency processes and practices have not been sufficiently responsive to the ever‐present and ever‐changing risks that government systems are exposed to.”

- ANAO Cyber Attacks: Securing Agencies’ ICT Systems report

All seven agencies were found to be in the “internally secure zone” of the ANAO’s IT security compliance matrix - the second most secure zone in the guide - meaning the agencies have a “reasonable” level of security.

“The agencies had security controls in place to provide a reasonable level of protection from breaches and disclosures of information from internal sources. However, this is not sufficient protection against cyber attacks from external sources.”

The ANAO found application whitelisting had been hastily deployed by the agencies, which had also adopted an “ad hoc” approach to adhering to a patching strategy and policy. The audit also found the agencies were investing little to no effort in monitoring and reviewing the logs of actions by privileged users in order to prevent external attacks.

“In the context of an evolving cyber threat environment, agencies must have cyber resilience, to enable them to continue providing services while also deterring and responding to external cyber attacks.”

The seven agencies claimed in response that IT security compliance efforts had been hampered by resource restraints, access to relevant skills and competing priorities.

The Australian Bureau of Statistics said it had not been able to achieve full compliance due to “technical constraints imposed by a small number of legacy systems”, but had introduced mitigations to reduce the risks associated with ongoing use of the systems, and was working on implementing the ANAO’s recommendations.

Customs told the ANAO it had commenced efforts to “enhance its security culture” to address the growing cyber threat and was working towards achieving compliance.

The ATO, DFAT and the Department of Human Services all promised to continue working on strengthening IT systems to mitigate security risks, as did the AFSA, while IP Australia said it was “actively” working within a undisclosed timeframe and resource envelope to improve its security posture, addressing the highest vulnerabilities first.

The ANAO said the agencies need to develop a timetable to implement the four controls in order to fully comply with the ASD framework, by deploying security patches in a timely manner; restricting privileged user access accounts relative to the sensitivity of the data and strengthening access controls; and promoting security awareness within the organisations.

Each agency agreed to implement the recommendations.