Little progress has been made with securing Western Australian government agencies against cyber security attacks according to the 2012 Information Systems Audit Report tabled by Western Australian Auditor General, Colin Murphy.
According to the report (PDF) cyber attacks were carried out against six test agencies – including the WA Police Service, the Department of the Premier and Cabinet, and the Department of Finance—via the internet while USB devices containing software that would send network specific information across the internet if plugged in and activated were scattered across the agencies to test their staff.
An email spear phishing attack was also conducted on one agency to see if staff would activate a link designed to provide a back door into the agency.
Murphy found that while the government’s internet service provider (ISP), ServiceNet, had improved its blocking of common attack methods since his 2011 report which identified weaknesses in 15 test agencies, once this layer of security was removed the six agencies were vulnerable.
“It is important that agencies have their own security measures in place to stop any attacks that get through this first layer of security-- our testing shows this is not the case,” he said in a statement.
“We found that cyber attackers who got past the defences of the government’s ISP could then exploit agency vulnerabilities to a variety of cyber attacks.”
For example, these vulnerabilities had the potential to allow an attacker to access sensitive information by redirecting users to fake websites that appear official, download the contents of a database that the website connects to, and obtain sensitive information of employees from scans of Web servers.
In addition, Murphy’s audit found that one of the six test agencies had not applied any software updates to its Web server for more than two and a half years, which left it exposed to hundreds of potential vulnerabilities.
“It is important to note that we found no evidence to suggest that any of this occurred, however agencies need to act promptly to address the vulnerabilities identified to reduce the risk of these being exploited,” he said.
The report also looked at online payment transactions carried out by nine test agencies including the Department of Finance, the Department of Housing and the Water Corporation.
The Auditor General conducted a review of the technical configuration of IT systems including databases, firewalls, network devices and Web servers. It also tested the security of cardholder information throughout the transaction process.
The report found that five of the nine agencies were securely managing online payment transactions made by their customers while the other four were not compliant with the Payment Card Industry (PCI) Data Security standards. These standards include data encryption and ongoing management of payment servers.
“The four agencies are processing transactions via their own agency sites which means that cardholder and payment data, including primary account numbers, the cardholder name, card expiry date and card verification code is stored and processed through agency systems before it is passed to the payment gateway,” Murphy said.
While the report found no evidence of cardholder information being compromised, Murphy said that because the agencies did not comply with the PCI Data Security Standards, the agencies had “not effectively managed” the risk of compromise.
The report also assessed 51 WA government agencies against six general computer control categories including management of IT risks, information security, business continuity, change control, physical security and IT operations.
It found that more than half of the 51 agencies assessed had not established adequate controls to manage IT operations, information security and business continuity while 48 per cent did not have adequate controls in place for management of IT risks.
“I was pleased to note that 54 per cent of agencies we audited this year improved controls, mainly in the areas of change management and physical security,” he said.
“Disappointingly, 20 per cent of agencies had not made improvements in their control environments from the previous year.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU