Over the last eight years the Australian Tax Office security team has evolved from a checkbox compliance outfit to a department that has executive backing to run wide-scoped penetration tests, pull live apps offline for security checks and conduct regular red teaming exercises.
Critically, Trusted Access sets its own scope for the penetration tests it runs, which means security professionals can examine all avenues in which an ATO system could potentially be attacked.
Director Len Kleinman said penetration tests were often given scopes by customers that restricted examination to only an affected project, which was dangerous because it left open holes which attackers could exploit.
"A lot of system owners will come along and say they want a test on this system, but we will test beyond the boundaries," Kleinman said.
"Now if a system sits over infrastructure and exposes a vulnerability in that infrastructure we've taken the view that that system owner is responsible and must do something to plug it.
"You'll always get the contest [from system owners] that you were only meant to test systems in a particular scope."
The ATO defines vulnerability testing as a means to identify "the level of IT risk the ATO may be facing at any one instant in time". In other words, it sees the tests as a benchmark that it necessarily needs to consider all avenues of potential attack.
Trusted Access gained executive support several years ago after the security team demonstrated to executives weaknesses in the ATO that emerged following a red team exercise.
Those complex tests were drawn from the military sphere and used vectors including social engineering, physical security and hacking to demonstrate realistic targeted attacks.
Trusted Access conducts red team tests on the ATO at least once a year.
Its positive track record has led to other Federal and State Government agencies regularly booking the team for penetration tests against their systems. The theory was, Kleinman said, that it was better for Trusted Access to find holes than malicious hackers; if the ATO was breached, it would need to fess up to the public and Parliament.
The external pen tests run for at least a month and offer tested agencies no early pointers as to what vulnerabilities were discovered.
"Don't do early notification," Kleinman said at the RSA Asia Pacific conference in Singapore. "We've been down this path and it is an absolute nightmare."
"If you disclose a significant vulnerability, [the agency's] fix may introduce new vulnerabilities or have ongoing effects on the system."
He said systems must be in a "production-like state" prior to tests.
Kleinman also advised security professionals to avoid "mini pen tests" that were shorter in scope because "invariably they just want a tick in the box".
His team does not take an agency on its word that patches have been applied, and instead performs verification tests that have "gone through the roof" over the last three years.
"If they say something is fixed, test it again."
He said penetration tests were peer-reviewed and required sign-off by senior directors, system owners and Trusted Access chief technology officer Todd Heather.
This shields the security team from blame in the event of a breach, since agencies had documented the level of risk they were prepared to accept.
Kleinman said Trusted Access could offer general advice on how agencies could fix vulnerabilities, but the process was ultimately the responsibility of the given agency.
"If a particular patch looked like the answer to a vulnerability, the decision to apply the fix and possibly bring down systems as a result must always remain with the given business unit," he said.
While the team was booked for penetration tests across other federal and state government agencies, including a current job with an unnamed NSW agency, Kleinman said it did not charge for the work.
It took the last eight years for the unit to gain its capabilities and grow from three security professionals performing checkbox security to a handpicked team of penetration testers performing wide-scoped vulnerability tests.
Kleinman said the pen testing industry was being damaged by an influx of generalists who lacked the proper skill sets to run tests.
"[Pen testing] is a particularly enticing area but we are getting too many generalists in a specialist space and it compromises the quality of work," he said.
"You need to look at the way you recruit."
Klienman said the group sought candidates that had a proven record in software development and security and had respected and industry-recognised qualifications.
Staff in Trusted Acess are also cycled between areas to keep them interested. While the pen tests could be fun, Kleinman said they were demanding and required after-hours work so security staff often moved to intelligence and operations areas after completing tests.
He also recommended those managing security teams reconsider the way security professionals were rewarded.
"With the upmost respect I say geeks are very different people. They have a different value system, a different way of showing respect and asking for rewards."
Darren Pauli travelled to Singapore as a guest of RSA.