Qld steps up vulnerability scanning across govt websites

The Queensland government will perform more periodic checks on all 1500 state-owned websites and internet-facing applications to gauge how susceptible they are to attack.

Last November government CIO Andrew Mills revealed hackers had successfully infiltrated web pages operated by the state’s Department of Education and its TAFE. They made off with data collected from the complaints portals, including details of alleged sexual assault.

Since then, Queensland has been working to fortify its IT defences, including establishing a dedicated cyber security team within the GCIO’s office.

One of the cyber security unit’s first jobs will be to sign up to a new whole-of-government vulnerability scanning service that will deliver monthly and on-demand checks of more than 20 government agencies, their web properties, and internal networks.

The scans will prioritise low-hanging fruit like vulnerabilities that can be easily fixed by updating vendor patches, according to tender documents released by the GCIO.

The service will also run assessments of the security of a typical government workstation.

“How susceptible is a standard workstation to compromise? If a workstation is compromised, how susceptible is the environment to lateral movement and data exfiltration?” the government wants to know.

The new approach will fill the void left by the $3.1 million tactical cyber security plan funded in the 2014 state budget, which dries up in June.

It will deliver both monthly and on-demand reports, plus remediation measures for identified weaknesses. Optional extras include assessments of spear phishing and other social engineering vulnerabilities, code analysis, website defacement alerts, and targeted penetration testing. The selected supplier could also be asked to provide comparative reporting between agencies.

The state hopes to have the scanning service in operation by October this year.