• Windows Server 2012 Resource Centre


    [ad] Windows Server 2012 redefines the server category, delivering hundreds of new features and enhancements spanning virtualization, networking, storage, user experience, cloud computing, automation, and more. Click here to visit our Windows Server 2012 Resource Centre with case studies, white papers and articles about Windows Server 2012.

  • Nokia Lumia Smartphones: Innovation's calling


    [ad] Nokia Lumia with Windows Phone comes with unique camera technology, wireless charging and turn-by-turn navigation. Make every image picture perfect. See your city differently. Charge without wires. Click here to learn more.

  • Save up to $199 on Dell XPS 12 Ultrabooks: Power for your projects and passions.


    [ad] This convertible Ultrabook™ delivers the speed and performance you expect from the XPS family in a sleek new design that's ready for work and play. Don't get two pieces of technology when one will do it all. The Dell XPS 12 is a tablet and Ultrabook combined to produce the perfect laptop.

  • Great articles on other sites

  • RSS Great articles on other sites


  • Managing virtualised environments: Free whitepaper


    [ad] Virtualisation is one of the single most important technologies for efficiently operating servers. This free whitepaper presents information about current trends in virtualisation adoption, risks associated with single vendor virtualisation, and the benefits of open source virtualisation. Click here to download the whitepaper.

  • One More Thing - iOS App Maker Conference - 24th May


    [ad] If you make iOS apps, come listen to the best in the industry share their tip & tricks for App Store success. Melbourne, 24th May, 2013 - use the coupon code "delimiter" for 5% off.

    • Enterprise IT, Featured, News - Written by on Wednesday, June 13, 2012 14:55 - 4 Comments

    ACT audit praises IT security; without testing it

    Tags: , , , , , , , , ,

    news The ACT Auditor-General’s Office has published a report praising the security of the territorial government’s IT systems, basing its conclusions on the evidence presented by government staff, but without actually testing that security, as some State Governments have done over the past several years.

    The report published late last week by the auditor (PDF), is entitled Whole-of-Government Information and Communication Technology Security Management and Services. The stated objective of the audit was to provide an independent opinion to the ACT’s Legislative Assembly on whether procedures around IT security were well-defined, managed and communicated within the territorial government.

    In general, the audit report found that they were. “The protection of the ACT Government network is robust,” the report stated. “Shared Services ICT Security Section’s security regime has successfully defended against over one million attempts to access the ACT Government’s network in the nine month period to 31 March 2012 … the administrative structures and processes that support whole-of-government ICT policies and procedures are overall satisfactory”.

    However, the auditor also disclosed in the report that no actual penetration testing of the ACT Government’s IT infrastructure had taken place as part of the report.

    In its report, the auditor wrote that its approach to the project consisted of reviewing literature and work undertaken on the subject by other jurisdictions; identifying those agencies who are responsible for whole-of-government policies and procedures and determining their administrative role and assessing the degree to which they fulfilled their functions; and briefings, interviews, correspondence and reporting with and to relevant agency staff.

    “The audit did not examine individual ICT security systems,” the report found. “Conclusions on the adequacy of controls over unique systems cannot therefore be extended to systems that were not subject to audit … A future discrete audit of directorates’ and agencies’ application of ICT security may be worthwhile once any recommendations from this audit are implemented.”

    This non-technical approach differed markedly from the approach taken by other Australian Government jurisdictions such as the State of Western Australia, when carrying out similar IT security audits over the past several years. In June 2011, WA Auditor-General Colin Murphy published an extensive audit of the State Government’s IT security, finding that none of a wide range of government departments and agencies in the state were currently able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.

    Murphy revealed his office recently conducted “benign” cyber-attacks on 15 different departments and agencies in the state, including major departments such as the Departments of Education and Health, those with sensitive information such as Legal Aid WA and the Department of the Attorney-General, and others such as Lotterywest. The first wave of attacks saw preliminary scans conducted on agencies’ networks by the Security Research Centre at Edith Cowan University, using publicly available software downloaded for free from the Internet. “These preliminary scans were deliberately hostile (prolonged and continuous) in a best effort to have our activity detected without making the test a denial of service (DoS),” the report states.

    The second stage, which attacked three agencies, saw information gained from the scan used to exploit security vulnerabilities, with the aim of accessing government information. In a separate attack, the Office of the Auditor-General took a different approach, physically scattering 25 USB keys around 15 different departments and agencies, with about half left in areas open to the public such as in reception or cafeteria, and half left in are not accessible to the public.

    If a government worker plugged one of the USB keys into their PC, read one of the files on it and then launched a program, the USB key would then “phone home” to the Office of the Auditor-General, telling it its location and sending back some basic network information.

    The results of the overall audit were stark. “Fourteen of fifteen agencies failed to detect, prevent or respond to any of our hostile scans,” the report stated at the time. The WA Auditor-General noted that eight agencies actually picked up the USB keys left lying around their offices, plugged them in and activated the software contained therein, despite the fact that the message contained on the USB devices, and the steps required to run the software, should have made staff “suspicious and wary”.

    Similar reports have been published in Queensland and New South Wales over the past several years, with both finding that each state had significant problems guaranteeing basic IT security to their departments and agencies.

    The ACT’s audit this week did note some shortcomings with the territorial government’s IT security practices. For example, it noted that a website hosted outside the ACT Government’s network had been compromised, and that it was important that the ACT Government’s IT security advisor role be reinforced and supported across government, in order to help ensure that departments and agencies were complying with IT security guidelines.

    In addition, it noted that few IT systems had a security plan. “Despite it being a requirement, only 5% of the ACT Government’s 1025 information management systems have a system security plan; and even fewer, some 2.24% have a threat and risk assessment. The reasons for this were not able to be ascertained. This is an issue that needs to be addressed.” In addition, the chances that ACT Government information could be extracted were enhanced by the fact that the ACT Government does not have an electronic records management system — making it hard to track the flow of information and who could access it.

    Despite the lack of IT security testing in the report, the ACT Auditor-General’s Office issued a media release (PDF) noting that “the protection of the ACT Government network is robust.”

    opinion/analysis
    Do I believe that the ACT Government’s IT security is “robust”? No, I don’t. Not for an instant.

    Personally, I believe that most State and Territorial Governments right around Australia have woeful IT security right now — security that would be pathetically easy to break through — as easy as dropping a few USB keys loaded with malware in a handful of government facilities in each state. Eventually, as was proven in Western Australia, a few bureaucrats would plug the keys into a PC, and whoops! There goes the network.

    The ACT Government doesn’t have an electronic records management system and it doesn’t have security strategies for the vast majority of its IT systems. Its claim that it has defended “over one million” attempts to breach its network in a nine month period is laughable. No doubt the overwhelming majority of those attempts were automated spam or malware sent into the Government’s email system, or relatively harmless pings of its web servers. I highly doubt that any really serious attempt to breach the ACT Government’s IT systems would be met with substantial resistance.

    I would be extremely happy to be proven wrong with respect to my opinion — it would be fantastic if the ACT Government’s IT systems were indeed “robust”. But in the absence of evidence to the contrary, I choose to believe that the WA Government’s Auditor-General has the more accurate view of public sector IT security at this point. I suggest that the ACT Auditor-General’s Office should review the available literature. If it does, it will likely find that its brother and sister auditing organisations in states and territories around Australia have very little confidence in the IT security of their client governments. And without any actual testing having been conducted, in the ACT we have to assume the same.

    Related posts:

    1. WA Auditor slams agencies’ woeful IT security
    2. NSW Govt can’t guarantee IT security
    3. WA Govt has zero IT security, says auditor
    4. Audit details: WA Health’s decade of IT failure
    5. Qld kicks off whole of Govt ICT audit
    		 submit to reddit Print Friendly and PDF

    4 Comments

    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    1. ulyanov
      Posted 13/06/2012 at 3:13 pm | Permalink | Reply

      Did you talk to Peter Major at ACT Shared Services before wrting up your opinion?

      I agree the written for politicians report is laughable, especially the attacks defended metric, but you’ve not included any comment from anyone on the ground. Sounds like reporting by press release to me. Your opinion may be (probably is) spot on, but I think you can do better.

      • Renai LeMay
        Posted 13/06/2012 at 3:30 pm | Permalink | Reply

        You’re right, the article would have been better with comment from the IT guys on the ground, and I apologise for this, but unfortunately I don’t always have enough time for that. It’s the sad reality of operating a small media outlet ;) Usually people will come out of the woodwork on their own and get in contact if they think the issue is important enough. My life was easier when I had a dedicated team of journalists at ZDNet to allocate to get comment on every issue; but that was then, and this is now ;)

    2. Maxine Cooper
      Posted 14/06/2012 at 5:38 pm | Permalink | Reply

      This is further to your recent article on my Office’s report on security management and services in the ACT Government. Your article accurately reports that my report dealt with policies and procedures around IT security. These were at the high whole-of-government level. This contrasts with the approach of other jurisdictions, where specific systems were subject to so-called benign cyber attack.

      Several of our recommendations are mentioned by you, notably those relating to system security plans, the status of the ACT’s information security advisor and the need for an electronic records management system. Implementation of these recommendations will reduce the risk of the sorts of problems that my counterparts in the States have discovered, and which have been quoted in your article. As was stated, a future discrete audit of directorates’ and agencies’ application of ICT security may be worthwhile once any recommendations from this audit are implemented.

    3. Peter Kelley
      Posted 18/06/2012 at 9:27 am | Permalink | Reply

      I pinged the ACT chief minister Katy Galagher on Twitter for a comment and here is what I received (FWIW):
      “systems tested for ICT security and there is an audit regime. Internally hosted websites are rigorously tested for compliance”

    Leave a Comment

    Comment


    Home Forums Topics

    Viewing 15 topics - 1 through 15 (of 66 total)
    1 2 5
    Viewing 15 topics - 1 through 15 (of 66 total)
    1 2 5

    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:


    Get our daily newsletter

    Get all our new articles every weekday morning.

    Email address:



  • Anonymous tips

    Got some inside information on something that should be made public? Use our anonymous tips form. Even Delimiter won't have a clue as to your real identity.

    • Most Popular Content

  • Enterprise IT news & views

    • Perpetual dumps CIO after Fujitsu outsourcing sacked

      It appears that the outsourcing arrangement between Perpetual and Fujitsu has gone well — so well, it appears, that Perpetual no longer believes it needs its chief information officer, Jenny Levy.

    • Victoria abandons IT shared services?
      Core CenITex services to be outsourced       exit

      Dramatic internal documents leaked from CenITex this week have revealed that the Victorian State Government plans to turn the IT shared services agency into a ‘broker’, rather than a provider of services, and that the Government is considering outsourcing massive chunks of CenITex’s work.

    • Australia gets two Windows Azure datacentres ballmer-cloud

      Microsoft this morning revealed plans to offer its Windows Azure platform as a service from Australian datacentres located in Sydney and Melbourne, in the latest move by a global technology giant to offer cloud computing services from Australian facilities to meet local demand and address concerns around data sovereignty.

    • Oracle reveals swathe of Aussie rollouts larryellison

      Enterprise technology giant Oracle has published details of half a dozen sizable deployments of its technology by Australian customers, as it continues its push to convince local technology buyers of the popularity of its Fusion platforms.

    • Australia’s universities hacked on a regular basis security

      Not all of the hype around IT security can be believed at the moment — several times when your writer has investigated so-called ‘hacking’ attacks in recent months, we’ve found only low-level script-kiddie-type of behaviour at the bottom of the situation. However, there definitely are some serious break-ins around, as chronicled in this somewhat disturbing article published in late April by citizen journalism site The Citizen.

    • 32 years later, CGU replaces insurance IT platform puffing-billy

      Think core banking platforms last a long time? Check out the gray hairs and wrinkles on the positively ancient insurance IT system which CGU is still running. This thing is so old it should be code-named ‘Methuselah’.

    • Blog, Enterprise IT - May 23, 2013 13:03 - 0 Comments

    Perpetual dumps CIO after Fujitsu outsourcing

    More In Enterprise IT


    Blog Enterprise IT

    News, Telecommunications - May 23, 2013 11:57 - 71 Comments

    Mass piracy lawsuits are back in Australia:
    Law firm targets end users’ details

    More In Telecommunications


    Blog Telecommunications

    Blog, Gadgets, Gaming - May 23, 2013 14:28 - 14 Comments

    Surprise! Xbox One neutered for Australia

    More In Gadgets


    Blog Gadgets Gaming

    Reviews - May 21, 2013 16:36 - 12 Comments

    HTC One: Review

    More In Reviews


    Gaming Reviews