Cyber Attacks: Securing Agencies’ICT Systems Read full text in English
Cyber crime is an international problem, and it is estimated that in 2012, 5.4 million Australians fell victim to such crimes, with an estimated cost to the economy of $1.65 billion. In the government sector, the Australian Signals Directorate (ASD)3 has estimated that between January and December 2012, there were over 1790 security incidents against Australian Government agencies. Of these, 685 were considered serious enough to warrant a Cyber Security Operations Centre response.
The protection of Australian Government systems and information from unauthorised access and use is a key responsibility of agencies, having regard to their business operations and specific risks. In the context of a national government, those risks can range from threats to national security through to the disclosure of sensitive personal information. Unauthorised access through electronic means, also known as cyber intrusions, can result from the actions of outside individuals or organisations. Individuals operating from within government may also misuse information which they are authorised to access, or may inappropriately access and use government information holdings.
Audit objective was to assess selected agencies compliance with the four mandatory ICT security strategies and related controls in the Australian Government Information Security Manual (ISM). The audit also considered the overall ICT security posture of the selected agencies, based on their implementation of the four mandated mitigation strategies and IT general controls. In the government sector, the Australian Signals Directorate (ASD) has estimated that between January and December 2012Ć, there were over 1790 security incidents against Australian Government agencies. Of these, 685 were considered serious enough to warrant a Cyber Security Operations Centre response. The audit's focus was, among others, application of top four of the ASD's list of 35 mitigation strategies against cyber intrusions. Contact person: Alex Doyle
- In 2010, ASD developed a list of 35 strategies to assist Australian Government entities achieve the desired level of control over their systems and mitigate the risk of cyber intrusions.
- ASD has advised that if fully implemented, the top four mitigation strategies would prevent at least 85 per cent of the targeted cyber intrusions to an agency’s ICT systems. This list of strategies is revised annually based on the most recent analysis of incidents.
- in the case of two agencies, their application whitelisting was set to ‘audit only mode’, which simply logged events that application whitelisting would have blocked, had it been enabled
- In all cases, agencies were non-compliant with the requirements to apply critical security patches within two days from the release of the patches, and only two agencies had demonstrable patching practices enabling them to respond to vendors’ routine or ad hoc patch releases, such as Microsoft’s monthly security patch release.
- five of the selected agencies had shortcomings in processes used to capture and maintain audit logs for privileged user accounts, and there were also inconsistent practices across agencies in the administration of group policies
- logged events that application whitelisting would have blocked, had it been enable
- agencies will experience additional risk exposures the longer they delay implementation
- a systemic control weakness that raises questions as to how effectively agencies can identify, respond to, or investigate unauthorised access to privileged user accounts, or inappropriate activities by privileged users
- lack of periodic assessment and review of an agency’s overall ICT security posture by the agency security executive can provide additional assurance
- cases where other security gaps were known by agency management or ICT operational staff but were not addressed
- Agencies advised that competing priorities could be an impediment to deploying appropriate security measures or mitigating solutions in the short term
- Systems might be delayed for between six to 18 months—a significant period without the appropriate security measures to protect the agency’s systems and information from threats and vulnerabilities.
- Recommendation: Implement periodic assessment and review by the agency security executive of the overall ICT security posture.