Windows Server 2012 Resource Centre
[ad] Windows Server 2012 redefines the server category, delivering hundreds of new features and enhancements spanning virtualization, networking, storage, user experience, cloud computing, automation, and more. Click here to visit our Windows Server 2012 Resource Centre with case studies, white papers and articles about Windows Server 2012.
Nokia Lumia Smartphones: Innovation's calling
[ad] Nokia Lumia with Windows Phone comes with unique camera technology, wireless charging and turn-by-turn navigation. Make every image picture perfect. See your city differently. Charge without wires. Click here to learn more.
Save up to $199 on Dell XPS 12 Ultrabooks: Power for your projects and passions.
[ad] This convertible Ultrabook™ delivers the speed and performance you expect from the XPS family in a sleek new design that's ready for work and play. Don't get two pieces of technology when one will do it all. The Dell XPS 12 is a tablet and Ultrabook combined to produce the perfect laptop.
Great articles on other sites
- $5.2m to put e-tax on Mac
- Galaxy S 4 “Google Edition” to be available in Australia via MobiCity
- When does mission creep become censorship?
- First NBN fibre extension completed
- Proof the internet filter lives on by other means
- Budget 2013: Heavy on 'showcasing', light on strategy
- CGU to replace core insurance system
- Google Australia calls for mandatory comp sci until year 10
- Spectrum fail could help Libs fight Labor's regional NBN
- Offended By Fraudband? Maybe You Shouldn’t Have Said It First
Managing virtualised environments: Free whitepaper
[ad] Virtualisation is one of the single most important technologies for efficiently operating servers. This free whitepaper presents information about current trends in virtualisation adoption, risks associated with single vendor virtualisation, and the benefits of open source virtualisation. Click here to download the whitepaper.
One More Thing - iOS App Maker Conference - 24th May
[ad] If you make iOS apps, come listen to the best in the industry share their tip & tricks for App Store success. Melbourne, 24th May, 2013 - use the coupon code "delimiter" for 5% off.
Enterprise IT, Featured, News - Written by Renai LeMay on Wednesday, June 13, 2012 14:55 - 4 Comments
ACT audit praises IT security; without testing it
news The ACT Auditor-General’s Office has published a report praising the security of the territorial government’s IT systems, basing its conclusions on the evidence presented by government staff, but without actually testing that security, as some State Governments have done over the past several years.
The report published late last week by the auditor (PDF), is entitled Whole-of-Government Information and Communication Technology Security Management and Services. The stated objective of the audit was to provide an independent opinion to the ACT’s Legislative Assembly on whether procedures around IT security were well-defined, managed and communicated within the territorial government.
In general, the audit report found that they were. “The protection of the ACT Government network is robust,” the report stated. “Shared Services ICT Security Section’s security regime has successfully defended against over one million attempts to access the ACT Government’s network in the nine month period to 31 March 2012 … the administrative structures and processes that support whole-of-government ICT policies and procedures are overall satisfactory”.
However, the auditor also disclosed in the report that no actual penetration testing of the ACT Government’s IT infrastructure had taken place as part of the report.
In its report, the auditor wrote that its approach to the project consisted of reviewing literature and work undertaken on the subject by other jurisdictions; identifying those agencies who are responsible for whole-of-government policies and procedures and determining their administrative role and assessing the degree to which they fulfilled their functions; and briefings, interviews, correspondence and reporting with and to relevant agency staff.
“The audit did not examine individual ICT security systems,” the report found. “Conclusions on the adequacy of controls over unique systems cannot therefore be extended to systems that were not subject to audit … A future discrete audit of directorates’ and agencies’ application of ICT security may be worthwhile once any recommendations from this audit are implemented.”
This non-technical approach differed markedly from the approach taken by other Australian Government jurisdictions such as the State of Western Australia, when carrying out similar IT security audits over the past several years. In June 2011, WA Auditor-General Colin Murphy published an extensive audit of the State Government’s IT security, finding that none of a wide range of government departments and agencies in the state were currently able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.
Murphy revealed his office recently conducted “benign” cyber-attacks on 15 different departments and agencies in the state, including major departments such as the Departments of Education and Health, those with sensitive information such as Legal Aid WA and the Department of the Attorney-General, and others such as Lotterywest. The first wave of attacks saw preliminary scans conducted on agencies’ networks by the Security Research Centre at Edith Cowan University, using publicly available software downloaded for free from the Internet. “These preliminary scans were deliberately hostile (prolonged and continuous) in a best effort to have our activity detected without making the test a denial of service (DoS),” the report states.
The second stage, which attacked three agencies, saw information gained from the scan used to exploit security vulnerabilities, with the aim of accessing government information. In a separate attack, the Office of the Auditor-General took a different approach, physically scattering 25 USB keys around 15 different departments and agencies, with about half left in areas open to the public such as in reception or cafeteria, and half left in are not accessible to the public.
If a government worker plugged one of the USB keys into their PC, read one of the files on it and then launched a program, the USB key would then “phone home” to the Office of the Auditor-General, telling it its location and sending back some basic network information.
The results of the overall audit were stark. “Fourteen of fifteen agencies failed to detect, prevent or respond to any of our hostile scans,” the report stated at the time. The WA Auditor-General noted that eight agencies actually picked up the USB keys left lying around their offices, plugged them in and activated the software contained therein, despite the fact that the message contained on the USB devices, and the steps required to run the software, should have made staff “suspicious and wary”.
Similar reports have been published in Queensland and New South Wales over the past several years, with both finding that each state had significant problems guaranteeing basic IT security to their departments and agencies.
The ACT’s audit this week did note some shortcomings with the territorial government’s IT security practices. For example, it noted that a website hosted outside the ACT Government’s network had been compromised, and that it was important that the ACT Government’s IT security advisor role be reinforced and supported across government, in order to help ensure that departments and agencies were complying with IT security guidelines.
In addition, it noted that few IT systems had a security plan. “Despite it being a requirement, only 5% of the ACT Government’s 1025 information management systems have a system security plan; and even fewer, some 2.24% have a threat and risk assessment. The reasons for this were not able to be ascertained. This is an issue that needs to be addressed.” In addition, the chances that ACT Government information could be extracted were enhanced by the fact that the ACT Government does not have an electronic records management system — making it hard to track the flow of information and who could access it.
Despite the lack of IT security testing in the report, the ACT Auditor-General’s Office issued a media release (PDF) noting that “the protection of the ACT Government network is robust.”
Do I believe that the ACT Government’s IT security is “robust”? No, I don’t. Not for an instant.
Personally, I believe that most State and Territorial Governments right around Australia have woeful IT security right now — security that would be pathetically easy to break through — as easy as dropping a few USB keys loaded with malware in a handful of government facilities in each state. Eventually, as was proven in Western Australia, a few bureaucrats would plug the keys into a PC, and whoops! There goes the network.
The ACT Government doesn’t have an electronic records management system and it doesn’t have security strategies for the vast majority of its IT systems. Its claim that it has defended “over one million” attempts to breach its network in a nine month period is laughable. No doubt the overwhelming majority of those attempts were automated spam or malware sent into the Government’s email system, or relatively harmless pings of its web servers. I highly doubt that any really serious attempt to breach the ACT Government’s IT systems would be met with substantial resistance.
I would be extremely happy to be proven wrong with respect to my opinion — it would be fantastic if the ACT Government’s IT systems were indeed “robust”. But in the absence of evidence to the contrary, I choose to believe that the WA Government’s Auditor-General has the more accurate view of public sector IT security at this point. I suggest that the ACT Auditor-General’s Office should review the available literature. If it does, it will likely find that its brother and sister auditing organisations in states and territories around Australia have very little confidence in the IT security of their client governments. And without any actual testing having been conducted, in the ACT we have to assume the same.
Leave a Comment
Blog, Enterprise IT - May 23, 2013 13:03 - 0 Comments
More In Enterprise IT
- Victoria abandons IT shared services?
Core CenITex services to be outsourced
- Australia gets two Windows Azure datacentres
- Oracle reveals swathe of Aussie rollouts
- Australia’s universities hacked on a regular basis
- 32 years later, CGU replaces insurance IT platform
News, Telecommunications - May 23, 2013 11:57 - 71 Comments
More In Telecommunications
- Telstra set for massive internal restructure
- iiNet sells TransACT’s FTTP to NBN Co
- At death’s door:
Vodafone loses 216k more customers
- 4G race: Telstra turns on 1500th tower
- Optus launches TD-LTE 4G trial in Canberra
Blog, Gadgets, Gaming - May 23, 2013 14:28 - 14 Comments
More In Gadgets
- Sony Xperia Z tablet hits Australia
- HP Slate 7 to land in Australia shortly
- Why touchscreens matter for laptops
(Or, review of the ThinkPad X1 Carbon Touch)
- Amazon Appstore challenging Google Play as Australian launch looms
- Consoles to suffer as tablets triple mobile games downloads by 2017