Ethical hackers from Queensland’s Audit Office were able to exploit vulnerabilities in the IT systems of three state government entities to access sensitive information during recent cyber security testing.
In a damning audit report [pdf] released on Tuesday, the state’s auditor said testing had revealed all of the three unnamed entities were failing to manage their security risks “as effectively as they could”.
The report found “key information assets” at each of the entities were successfully compromised by its security consultants using what was determined to be the “easiest path to attack”.
While one entity did have a “higher level” of cyber risk management maturity, the audit office said it was still “not enough to prevent our security consultants from compromising its ICT environment”.
“The fact that our consultants successfully compromised all three entities’ ICT environments and could access their sensitive or non-public data demonstrates there were gaps in their mitigation strategies,” the report states.
At one entity, the pen testers were able to gain entry to the network simply by waltzing in through the front door.
“Our security consultants were not prompted for identification at any point when accessing facilities,” the report states.
“It was possible to walk from the lifts, past the reception desk, and tailgate employees into the entity's offices.
“Upon accessing the office, our consultants were able to sit down at employee desks and connect a malicious device to the network.”
But the testing also revealed more traditional vulnerabilities in the networks, including “easily guessable passwords” at all three entities.
“At one entity, our consultants were able to crack and recover clear text passwords for over 6,000 user accounts. They cracked the majority of these in less than three minutes,” the report states.
Passwords for user accounts were also found to have been disclosed in multiple data breaches such as Adobe, Dropbox and LinkedIn.
Despite the findings, the auditor said two of the entities had “appropriate” cyber risks management frameworks in place, though testing had uncovered vulnerabilities that still needed to be addressed.
“Addressing these vulnerabilities is a balancing act between risk appetite and cost,” the report states.
However it was a different story for the Australian Signals Directorate’s top four strategies to migrate cyber security incidents, which the audit office said none of the entities had implemented effectively.
These strategies, which are considered the best way to avoid 85 percent of intrusions, are – alongside the essential eight mitigation strategies – now regarded as a “minimum security requirement” for government entities by Queensland’s chief information office.
The audit also found all three entities struggled with applying a security classification to information assets, with none able to “demonstrate an understanding of the extent to which its information assets were exposed”.
“All three entities need to conduct a comprehensive assessment of their information assets to determine which assets are at risk and require further controls to protect,” the report states.
At two of the entities, the audit office found “almost 750 ICT assets ... were assigned to employees who no longer work for them”, which - if the records are up to date – could be used to access sensitive information.
The auditor has recommended that all three entities develop a framework for managing cyber security risks in line with the state’s information security policy and develop methodologies for identifying and assessing cyber risks to information assets.
The audit report was released just hours after a number of regional Victorian hospitals and health services were forced to shutdown their IT systems after experiencing a ransomware attack.
The cyber security incident followed a warning from the state’s auditor-general just months earlier that the public health system was “highly exposed” to attack.
Barwon Health, one of the four entities identified in the audit report, was particularly hard hit on Tuesday, leading some clinical services to be suspended.
Cyber security experts from the state and federal governments are currently working to investigate the incident, and intend to conduct a full review to better protect the hospitals in the future.