Agencies and departments in the throes of machinery of government changes – and there are more than a few – have been declared a potential cyber weak spot by the Australian Cyber Security Centre, which wants more attention paid to how data and access privileges are transferred.
In a wake-up call to change makers across the public sector, Australia’s cyber security watchdog has warned that bureaucrats must pay better attention to holes that can open-up when IT security postures are blended because of “assumptions about the quality and completeness of security controls".
“Adversaries target organisations undergoing major organisational change because they know the disruption makes it easier for social engineering attacks,” the ACSC’s new guide to mergers and MoGs cautions.
The guide is equally applicable to corporates merging.
“Staff inside an organisation undergoing major organisational change will need to quickly form effective relationships with a new set of colleagues, often while operating with significant uncertainty and time pressures,” the ACSC’s guide says.
It’s a legitimate fear, given the raft of highly sensitive shake-ups across the Departments of Home Affairs and Human Services in Canberra and Customer Service and Transport in New South Wales, to name just two jurisdictions.
And as usual, it’s the human factor that’s the weakest link, especially when targets and timelines need to be met, prompting the ACSC to caution managers to keep their antenna up and not cut corners to meet deadlines.
“During major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment or access from people they don’t know, and cannot easily verify the identity and authority of,” the ACSC said.
“The problem is further exacerbated if the organisations participating in major organisational change are geographically separated – even more so if the separation crosses national borders or cultural boundaries.”
Just knowing who’s who in the zoo is a big part of the challenge.
While the ASCS sensibly suggests there should be “arrangements so that staff can readily verify the identity and authority of new colleagues” via introductions, org charts and trusted third parties for “ad hoc” verifications, it says staff need to stand their ground on information security.
“Remind all staff they should refuse requests for access, payment or data until they can verify the requestor’s identity and authority. Identity should preferably be established in person or via telephone using contact details known to be correct,” the ACSC advice says.
“These steps are effective provided staff are confident they will be supported if they refuse requests due to identity and authority concerns. It is key that management set the right tone and, through their own actions, demonstrate that they accept the small once-off inconveniences that may occur.”
In terms of data migration, the ACSC recommends double-ups on human oversight to avoid nasty surprises, advice that essentially means pushing back against expedient HR bean counters.
“Use two trusted staff to oversee the transfer and verify that data is being sent to the intended destination. On significant data transfers the investment in an extra set of eyes to double check details is worthwhile,” the MoG advice says.
Data hygiene also gets a conspicuous call out, with the ACSC advising the use of an Australian Signals Directorate (ASD) Approved Cryptographic Algorithm listed within the Australian Government Information Security Manual (ISM) to generate a checksum prior to and after the transfer to ensure that data has not been corrupted or modified in transit.”
“Activities associated with legitimate data transfers may present a cover opportunity for data exfiltration by advanced adversaries and as such should put in place any additional security controls considered appropriate,” it observes.
In terms of public cloud, ACSC says, logically, that vendors should be sourced from the government’s Certified Cloud Services List.
But even then, the issue of file access permissions in merging entities can be a challenge, with endemic supplier Microsoft getting an honourable mention.
“When transferring file systems, organisations may need to take additional steps to preserve access control lists, the ACSC says.
“In many cases there is no native support to move access control lists between different systems (such as between two Microsoft Windows servers in different domains). Aftermarket tools and other processes are available to support this requirement if needed.”
Who knew moving digs could be such fun?