iTnews

Geoscience Australia 'highly exposed' to cyber attack

By Justin Hendry on Jun 29, 2018 6:49AM
Geoscience Australia 'highly exposed' to cyber attack

No ASD Top 4 compliance.

Geoscience Australia has failed to implement any of the federal government’s minimum cyber security requirements and is vulnerable to cyber attack, the national auditor has found.

It is the latest in a string of agencies found to be non-compliant with the Australian Signals Directorate’s (ASD) top four cyber mitigation strategies after a probe by the Australian National Audit Office (ANAO).

The fourth audit [pdf] of cyber resilience, focusing on Treasury, the National Archives of Australia and Geoscience Australia, found only Treasury had implemented all four of the strategies.

It displayed “a high level of protection from external intrusions and internal breaches” and had “sound ICT general controls in place for logical access and change management”, the auditor said.

But the same could not be said for Geoscience Australia and - to a lesser extent - the National Archives.

Neither of the two were found to have effectively implemented all of the top four, but Geoscience was singled out as particularly vulnerable having implemented none of the top four strategies.

“Geoscience Australia was assessed as vulnerable, with a high level of exposure and opportunity for external attacks and internal breaches and unauthorised disclosures of information,” the auditor said.

The agency had not implemented application whitelisting across its IT environment and in some instances was taking up to 30 days to install critical patches - where the current requirement is 48 hours.

The auditor noted that although Geoscience's IT service provider DXC was responsible for maintaining the security of the IT environment, ultimate responsibility for security lay with the agency.

National Archives, meanwhile, met two of the four strategies: patching applications and minimising privileged user access, but missed application whitelisting and patching operating systems.

At the time of the audit, the agency had only implemented application whitelisting on desktops and not servers because of a misunderstanding that meant it was unaware that servers were in the scope of the information security manual (ISM).

It was similarly not patching operating systems, with “less than 20 percent of critical operating system patches deployed within 48 hours”.

This made the agency “internally resilient but vulnerable to attacks from external sources”, the auditor said.

The auditor also noted that the National Archives had “incorrectly [self] reported compliance against two strategies” because they “did not have access to comprehensive guidance or supporting tools... that would have assisted accurate self-assessment”

Although the agencies had implemented or were progressing towards implementing the top four, none of the three had implemented all four non-mandatory strategies that make up the Australian Signals Directorate’s new baseline known as the essential eight.

Only one of the essential eight strategies – the daily backup of important data – had been implemented by all of the agencies.

They had also “made limited progress ... implementing the other three non-mandatory strategies – disabling untrusted Microsoft Office macros, user application hardening and [implementing] multi-factor authentication”.

The auditor has recommended that both Geoscience Australia and the National Achieves establish arrangements to achieve compliance with the top four, to which they have agreed.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
anao audit cyber security geoscience australia governmentit national archives of australia security treasury

Partner Content

Beat the DDoS blackmails in 2021
Partner Content Beat the DDoS blackmails in 2021
Why companies fail at picking cloud modernisation partners
Partner Content Why companies fail at picking cloud modernisation partners
Shut the door on ransomware
Partner Content Shut the door on ransomware
MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Beat the DDoS blackmailers in 2021
By Justin Hendry
Jun 29 2018
6:49AM
0 Comments

Related Articles

  • Agencies lament govt's 'patchwork' cyber security model
  • Govt agencies face annual cyber security audits for next five years
  • Defence, Services Australia IT oversight set to face probe
  • From zero to hero: Geoscience Australia nears cyber resiliency
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Australia Post is building a digital twin of its delivery network

Australia Post is building a digital twin of its delivery network

Trump pardons former Google self-driving car engineer

Trump pardons former Google self-driving car engineer

Defence switches on initial SAP ERP system capability

Defence switches on initial SAP ERP system capability

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.