Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies

Edith Cowan University
Security Research Institute

Lessons learnt from the OAG
audits of State Government
Agencies

Andrew W d
A d Woodward d

Copyright 2012 - Security Research Institute, Edith Cowan University


Agenda
• Results of current and previous audits
• What we did and how we did it
• Impact of audits on cyber security
• Lessons learned
• A few facts about the threat landscape
• What role the CUA?
• Do we need a State CIO?
• Conclusion


OAG cyber audit – key questions
• Has the agency conducted risk assessments for
cyber threats?
• Is there a security policy and/or framework that
consider cyber th t ?
id b threats?
• Are controls in place to effectively detect and
manage cyber intrusions?
• Are incident response p
p plans and recovery y
processes in place?


What we did
• Technical controls audit
– U d open source t l t scan websites t
Used tools to b it to
identify ports, services and vulnerabilities
– Use of other information gathering tools to
identify other servers and information assets
– Penetrated selected systems
• Human factor audit
– Sent spear-phishing emails to target
organisation(s)
i ti ( )
– USB drops with benign “phone home” code


Summary of 2011 audit – results
• Fourteen of the 15 agencies we tested failed to
detect,
detect prevent or respond to our hostile scans of
their Internet sites.
• W accessed the i t
We d th internal networks of three
l t k f th
agencies without detection, using identified
vulnerabilities f
l biliti from our scans. W did not t t th
We t test the
identified vulnerabilities at the other 12 agencies.
• Eight agencies plugged in and activated the USBs
we left lying around.


Summary of 2011 audit - results
• Twelve of the 15 agencies had not recognised and
addressed cyber threats from the Internet or social
engineering techniques in their security policies.
• Ni agencies h d not carried out risk
Nine i had t i d t i k
assessments to determine their potential exposure
to t
t external or internal attacks.
l i t l tt k
• Seven agencies did not have incident response
plans or procedures for managing cyber threats
from the Internet and social engineering.


Summary of 2012 Audit
• In one agency we identified a vulnerability in their
online payment system that would allow fraud to be
committed
• I another agency we uploaded non-malicious fil
In th l d d li i files
to their web server
• We identified three significant cross-site scripting
(XSS) vulnerabilities on three of the agencies’ web
servers. The web content management systems for
each of these agencies were also identified


Summary of 2012 Audit
• Two agencies were potentially vulnerable to SQL
injection (not tested)
• At one agency we obtained personal and sensitive
information of 17 employees from scans of web
servers
• O agency had not applied any software updates
One h d li d f d
to its web server for more than two and a half years.
As
A a result, this particular server h d h d d of
l hi i l had hundreds f
vulnerabilities, some of these could provide system
level access t servers, while others allowed th
l l to hil th ll d the
interception of information


Summary of 2012 audit
• Three other agencies also failed to apply software
updates leaving them vulnerable to some exploits
exploits.
• USB sticks were left at agencies (again) and were
activated b several agencies. H
ti t d by l i However, th
these
were blocked by ServiceNet.
• ServiceNet reported traffic from within government
networks attempting to establish external
connections which were automatically denied.
• Some USBs did phone home successfully from
p y
private addresses (again)...


Summary of 2012 audit
• Spear phishing emails were sent to one agency,
and within minutes of sending out the email we
received an autoreply confirming that the email had
passed through protective filtering services and
was reaching email in-boxes.
• Th email was only sent t one agency h
The il l t to however
there were many employees that clicked on the link
from different agencies within one d
f diff t i ithi day.


Impact of audits
• IPS capability has now been implemented by
ServiceNet,
ServiceNet providing protection for a number of
agencies and blocking nuisance traffic
• Awareness of social engineering has been raised
• The new ISMS specific CUA references the cyber
audit and li
di d lists vendors who can assist with relevant
d h i ih l
issues:
“Recent Auditor General reports (June 2011) concluded generally that
agencies had failed to take a risk-based approach to identifying and
managing cyber threats, and to meet or implement g
g g y , p good ppractice
guidance and standards for computer security.”


The most feared object in WA?

Buyers Guide – Information Security Management Services: CS14998


Lessons learned
• Patching, patching, patching!
• Governance
– Lack of or flaw in tech control can often be
of, flaw,
traced back to governance issues
• Information security management -> risk
>
management
– Where are the information assets?
– Who owns them?
– Have cyber specific threats been identified?


Lessons learned (cont)
• Policy
– lack of (cyber incident policy)
– lacking – who to report to and when
g p
– lack of review phase
• Over reliance / focus on technical controls
– DSD list (top 4 are technical)
– CUA (testing services category technically focused)
• People continue to be the softest target
– User education No. 8 on the DSD list...


Tech is not the answer you seek
“The more sophisticated the technology, the
more vulnerable it i t primitive attack.
l bl is to i iti tt k
People often overlook the obvious.”

Tom Baker as Doctor Wh i Th Pirate Pl
T B k D Who in The Pi Planet (19 8)
(1978)


Threat landscape

Source: http://www.mandiant.com/threat-landscape/


Source: http://www.mandiant.com/threat-landscape/


New challenges
• BYOD and cloud bring new challenges to
ISM in general, and i state government
i l d in t t t
agencies
– Multinational banned BYOD, then found they
had 7000 in the o ga sa o
ad 000 e organisation...
• An increasing shift towards targeting the
human factor not the tech
factor,
– Being reported increasingly in cyber security
briefs


The weakest link...


Suggestions
• Increase security education training and
awareness programs (SETA)
• Follow ISO 27000 cyclical approach to ISM:
Plan, Do, Check, Act
• Implement risk management as a subsidiary of
information security management
– Identification and ranking of information assets; Identify
owner of information assets
• Metrics and measures!!! While it works, security is
y
seen as a cost, not a benefit...


Common Use Agreement
• Pro’s
– Li it who can provide services (/idi t filt on)
Limits h id i (/idiot filter )
– Provides consistency to agencies seeking services
– Th Information Security Management section contains a
The I f ti S it M t ti t i
link to the cyber health check spreadsheet – very clever!
• C
Cons
– “Testing Services” category focuses on tech too much:
not as holistic as it could b ?
t h li ti ld be?
– Evidence found in audits would suggest that the previous
CUA wasn’t working, will this one be any better?
wasn t working


State Office of the CIO
• Audit has played a role in improving Info Sec
across WA agencies i
• It is a useful tool to “prompt” agencies to
prompt
improve their security
• Wh t if they don’t k
What th d ’t know h ? how?
• Smaller agencies do not have the resources
g
that larger agencies / corporations possess
• They are held up to a standard which doesn’t
doesn t
exist (fair criticism)


State Office of the CIO
• Finance currently leading the cyber charge,
and th CUA providing h lth check i good,
d the idi health h k is d
but is this the aim of this function?
• Would a central agency which creates a
standard and provides advice to agencies on
ISM improve security?


Conclusion
• Overall, cyber security is good - always room for
improvement
• Most organisations overly reliant on technical
controls – need more f
t l d focus on people and policy
l d li
• There appears to be a disconnect between what
the government is saying and what agencies are
hearing - a State cyber security standard or Office
of the CIO may be helpful
• Blue USB thumb drives are to be feared



The end?
• Questions or comments?

• Contact the Security Research Institute for
y
further information:
e: sri@ecu edu au
sri@ecu.edu.au
p: 08 6304 5176

Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (15)

Ähnlich wie Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies

Ähnlich wie Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies