AFP falls short of cyber security audit

Australia's national auditor has called out the country's federal police for falling short of mandatory federal government security standards, despite the force claiming its IT environment was fully compliant.

The Australian National Audit Office conducted checks on the cyber security postures at the AFP, the Department of Industry, Innovation and Science, AUSTRAC and the Department of Agriculture and Water Resources [pdf].

Despite all four insisting that they had successfully implemented Australian Signals Directorate’s top four attack mitigation strategies - which have been compulsory for central government agencies since July 2014 - only two actually lived up to their claims.

The ASD's four cyber mitigation strategies include application whitelisting, patching applications, patching operating systems, and minimising administrative privileges.

The AFP - which is in charge of some of the country’s most sensitive national security operations, anti-terrorism campaigns and cybercrime operations - fell short of full implementation of the top four measures. The Industry department also failed to get a tick of compliance on all four cyber mitigation strategies.

While the ANAO said it wouldn't identify the specific weaknesses it found at each audited agency for security reasons, it revealed software patching continues to be a problem for the organisations in its crosshairs.

The auditors said the rate of patch deployment it found amongst the four entities was below the industry standard of 95 percent of network devices.

“One critical security patch was successfully deployed across only 58 percent of the desktops of one entity’s ICT network," it said.

"The entity in question was not aware of the low patch levels, and did not have procedures in place to monitor and audit the effectiveness of the deployed patches."

While the surveyed agencies had security controls in place to provide "a level of protection from breaches and unauthorised disclosures of information from internal sources,” the ANAO said there was "insufficient protection against cyber attacks from external sources".

Tick of approval

The Department of Agriculture and Water Resources and AUSTRAC, on the other hand, became the first agencies to get a passing grade from the ANAO.

AUSTRAC emerged from the audit with gold-star approval, ranked high in the top quadrant of security performance.

The first round of cyber checks conducted by the ANAO in 2013 found that none of the subject agencies were meeting all the demands of the top four mitigation strategies, and none were on track to get their by the mandatory compliance deadline of July 2014.

This time around, the audit team pointed out that at the very least the first cohort of commonwealth entities had been frank about their shortcomings.

While all four entities in the current audit self-reported compliance to the ANAO at the beginning of 2015 fieldwork, Industry and AFP were both proven wrong in their claims.

“The non-compliant entities had initiatives underway to achieve compliance, but they did not provide a timeframe when compliance would be achieved across their enterprise ICT systems,” the auditors said.

The ANAO intends to investigate the security stance of all federal government entities in turn.