AusCert 2010: Siloed security leaves departments defaced

Security changes, data breach disclosure "an election issue"

Former strategic chief information officer for the Commonwealth of Pennsylvania, Bob Maley, at AusCert 2010

Former strategic chief information officer for the Commonwealth of Pennsylvania, Bob Maley, at AusCert 2010

The Federal Government should centralise control of IT across agencies and departments to ward-off hackers, according to a US state information security expert.

A wave of defacements that recently hit nine Western Australian government agencies could be seen as examples of slack security derived from isolated security management, according to former strategic chief information officer for the Commonwealth of Pennsylvania, Bob Maley.

While Maley, also principal of consultancy Strategic CISO, acknowledged defacements are "low-hanging fruit" in terms of the risk of exposure to sensitive data, he said websites become vulnerable to similar attacks when security is tackled in isolation by agencies.

"[Agencies] should group together to handle security and policy, and stay ahead of attacks," Maley told Computerworld at the AusCERT 2010 conference.

"It's a too common idea that people ask who knows about a breach, and do we have to tell them?"

But he said the changes, together with Australia's consideration of harsher data breach disclosure laws, are "more wrapped around elections than simple security requirements".

Maley's comments follow an upheaval of security practice and policy during his tenure as CISO in the Pennsylvania State Government, where he introduced strict application security policies, under the safeguarding citizen data project, including risk acceptance, data disposal methods, vulnerability testing and source code analysis. The policies were adopted under a Senate Bill by the state agencies.

The implementation of the Commonwealth Application Certification and Accreditation Process (CA)2, part of the project, allowed the Pennsylvania government to save between $37 million to $83 million in potential data breaches during 2008.

He said the exploitation of government resources is "almost" as large a problem as data theft, citing an instance where an individual exploited the online registration form provided by the Pennsylvania road authority to create and sell new licenses.

Join the newsletter!

Error: Please check your email address.

Tags hackersAusCert 2010Commonwealth of Pennsylvania

More about AusCertBillCA TechnologiesCERT AustraliaFederal GovernmentISO

Show Comments