At least 14 WA Government agencies have failed a state security audit, with the Department of Education flunking the tests for the second year running.
In the Information Systems Audit Report (pdf), 15 agencies were hit by denial of service attacks and staff were targeted with planted trojan-infected USB drives.
Agencies included critical infrastructure organisations in the mining, transport, petroleum and health sectors.
Auditors attempted to gain the attention of administrators by launching "deliberately prolonged and continuous" scans on agency web sites, but they went undetected.
Instead, auditors received information on agency firewalls, application and operating systems and later, in the case of three agencies, used the information to discover and exploit vulnerabilities and gain root access without detection.
The remaining agencies were tested for vulnerabilities, but not exploited.
Only one agency detected the attacks, while another performed so badly that it failed to notice several million brute force attacks against a web server that "noticeably degraded" its network.
The failing agency had even hired a contractor to identify cyber threats.
Staff from eight agencies succumbed to curiosity and plugged in infected USBs that were scattered around public places like cafeterias. A trojan was activated which informed auditors that Stuxnet-style attack had worked.
"The audit identified significant vulnerabilities to cyber threats in all 15 agencies examined," WA Auditor General Colin Murphy said. "The second item of the report contains the results of our audit of five key business applications at five agencies."
"We found weaknesses in security and data processing controls that could potentially impact delivery of key services to the public."
It comes a year after Western Australian agencies were again chastised in previous-year audit report (pdf). The Department of Education appeared in both audits.
The 2010 annual audit found more than 600 laptops were lost across seven government agencies, which cost some $640,000 over three years, excluding the possible loss of sensitive information.
"There has been no overall improvement in agency controls over their computing systems in the last year with a high proportion of agencies still not meeting our benchmarks," Murphy said.