Geoscience Australia has failed to implement any of the federal government’s minimum cyber security requirements and is vulnerable to cyber attack, the national auditor has found.
It is the latest in a string of agencies found to be non-compliant with the Australian Signals Directorate’s (ASD) top four cyber mitigation strategies after a probe by the Australian National Audit Office (ANAO).
The fourth audit [pdf] of cyber resilience, focusing on Treasury, the National Archives of Australia and Geoscience Australia, found only Treasury had implemented all four of the strategies.
It displayed “a high level of protection from external intrusions and internal breaches” and had “sound ICT general controls in place for logical access and change management”, the auditor said.
But the same could not be said for Geoscience Australia and - to a lesser extent - the National Archives.
Neither of the two were found to have effectively implemented all of the top four, but Geoscience was singled out as particularly vulnerable having implemented none of the top four strategies.
“Geoscience Australia was assessed as vulnerable, with a high level of exposure and opportunity for external attacks and internal breaches and unauthorised disclosures of information,” the auditor said.
The agency had not implemented application whitelisting across its IT environment and in some instances was taking up to 30 days to install critical patches - where the current requirement is 48 hours.
The auditor noted that although Geoscience's IT service provider DXC was responsible for maintaining the security of the IT environment, ultimate responsibility for security lay with the agency.
National Archives, meanwhile, met two of the four strategies: patching applications and minimising privileged user access, but missed application whitelisting and patching operating systems.
At the time of the audit, the agency had only implemented application whitelisting on desktops and not servers because of a misunderstanding that meant it was unaware that servers were in the scope of the information security manual (ISM).
It was similarly not patching operating systems, with “less than 20 percent of critical operating system patches deployed within 48 hours”.
This made the agency “internally resilient but vulnerable to attacks from external sources”, the auditor said.
The auditor also noted that the National Archives had “incorrectly [self] reported compliance against two strategies” because they “did not have access to comprehensive guidance or supporting tools... that would have assisted accurate self-assessment”
Although the agencies had implemented or were progressing towards implementing the top four, none of the three had implemented all four non-mandatory strategies that make up the Australian Signals Directorate’s new baseline known as the essential eight.
Only one of the essential eight strategies – the daily backup of important data – had been implemented by all of the agencies.
They had also “made limited progress ... implementing the other three non-mandatory strategies – disabling untrusted Microsoft Office macros, user application hardening and [implementing] multi-factor authentication”.
The auditor has recommended that both Geoscience Australia and the National Achieves establish arrangements to achieve compliance with the top four, to which they have agreed.