A cyber security audit of seven Australian Federal Government agencies has found that none of them had achieved full compliance with the top four mitigation strategies mandated by the Department of Defence in 2013.
These strategies are: application whitelisting, patching systems, restricting administrative privileges and creating a defence-in-depth system.
According to the Australian National Audit Office (ANAO) report, there were more than 1,790 cyber security incidents against Australian government agencies during 2012. Of these, 685 were investigated by the Cyber Security Operations Centre.
- Series of errors led to Department of Immigration data breach: KPMG
- Multicard breached Privacy Act with Maritime ID card leak: Commissioner
- Securing your data in the cloud
The ANAO audited the Australian Bureau of Statistics (ABS), Australian Customs and Border Protection Service, Australian Financial Security Authority (AFSA), Australian Taxation Office (ATO), Department of Foreign Affairs and Trade (DFAT), Department of Human Services (DHS) and IP Australia.
“Based on their stage of implementation of the top four mitigation strategies and IT controls, the selected agencies’ overall ICT security posture had a reasonable level of protection from breaches and disclosures of information from internal sources,” read the report.
However, the report also found that all of the agencies are vulnerable to attacks from external sources. “In essence, agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to,” said the ANAO.
The ANAO defines application whitelisting as a “control which protects against unauthorised applications executing on a system".
During its audit, the ANAO found that application whitelisting was a priority for all seven agencies.
Three of the seven agencies had implemented application whitelisting across their desktop computers, while one agency was also implementing application whitelisting across its servers.
However, the ANAO looked at the protocols used to identify executable files by each agency and found that, in most cases, only simple rules were applied.
The ANAO raised concerns when it found, in the case of two agencies, that their application whitelisting was set to 'audit only mode'.
“This would have logged events that application whitelisting would have blocked if it had been switched on. Both agencies rectified this shortcoming,” read the report.
“In the case of four agencies, the default policy was not set to deny the execution of software, potentially allowing [agency] staff without administration rights to load software on agency IT systems.”
Patching involves the deployment of software releases designed to fix or patch problems with existing software.
“The ANAO observed that while all agencies had implemented a patch management strategy, procedure or instruction that aligned with their change management procedures, these approaches were inadequate to cover the patching or upgrade of desktop applications. More attention was given by agencies to the deployment of security patches to operating systems [OS] on desktop PCs and servers,” read the report.
According to the ANAO, all agencies were “non-compliant” with the requirements to apply security patches within two days from the release of these patches.
Only two agencies had patching practices which allowed them to respond to vendors’ patch releases, such as Microsoft’s monthly Patch Tuesday release cycle.
“While there may be practical challenges to overcome in applying security patches within mandated timeframes, agencies will experience additional risk exposures the longer they delay [patch] implementation,” said the ANAO.
Administrative privileges are granted to trusted IT staff to allow them to configure and manage IT systems.
The ANAO reviewed agencies’ group policies for account access. It found that admin users held separate accounts to perform system admin duties and privileged accounts were controlled/auditable.
“However, five of the agencies had shortcomings in processes used to capture and maintain audit logs for privileged user accounts, and there were also inconsistent practices across agencies in the administration of group policies,” read the report.
The ANAO also found that, in most cases, audit logs for privileged user accounts were not enforced. “This is a systemic control weakness that raises questions as to how effectively agencies can identify, respond to, or investigation unauthorised access to privileged user accounts.”
All seven of the agencies responded to the ANAO report findings and said they had established programs of work to meet application whitelisting, patching and admin privilege recommendations.
For example, the ACBPS said that it has a mandate to achieve compliance with the Australian Signals Directorate Top 35 strategies to mitigate cyber attacks.
The ATO said it would “continue to develop and implement strong policies” to stop cyber attacks.
In addition, the DHS said it takes the threat of cyber security attacks “very seriously".
“The department will continue to strengthen the posture of compliance with the top four mandatory strategies, related controls and overall ICT security.”
Follow Hamish Barwick on Twitter: @HamishBarwick