blog Most of Australia just had one of those awesome, lazy four day weekends that are so rare. We lazed around watching TV, went on hikes through Australia’s beautiful landscape, or even attended music festivals. However, it appears that IT staff at Western Australia’s Public Transport Authority had a rather different kind of weekend: One in which they descended into the hell of trying to clean out hackers from their IT systems. iTnews reports (we recommend you click here for the full article):
“A spokesperson said the department had acted out of caution after spotting the security issue and did not believe the attacker’s bid at entry had been successful.”
We’d be remiss if we didn’t mention that this is the second major hack attack on the Western Australian Government in just the past several months. In mid-February, as you may recall, a “trojan virus” took the IT and telephone systems of the WA Parliament offline. What’s happening over there in Western Australia? A spate of Internet nasties? Or is it just perhaps that hackers in general have finally realised what the state’s Auditor-General has been saying for years … that the State Government’s IT security is, frankly, pathetic?
most outsourced government systems are insecure and full of security holes just take a look at MyGov. it was full of sql injection exploits when it went live because they never bothered to do any exploit testing. As for this no doubt internal malware hacks by the chinese trying to get escalated access to other systems as they have already done. Like stealing the blueprints from the asio building perhaps ?
We are under attack just a different kind of attack but terrorism is too much of a priority for the Liberals so they can preserve themselves. The rise of cyber attacks and the lack of action is all their doing.
“… that the State Government’s IT security is, frankly, pathetic?”
Oi!!! You mean we Sandgropers actually have one?
“What’s happening over there in Western Australia?”
Oddly enough, nothing that doesn’t happen anywhere else in Oz. We could remind people of the Royal Melbourne Hospital?
The reality is that (just like every other country in the world) IT security is a nonsense phrase. The same people who religiously lock and double-lock doors and windows do nothing to secure their IT systems.
And–for all my smart-ass words–I have no idea why. I mean, I can postulate some whacky ideas, but “whacky” is the definitive term. What goes on in the human mind needs a deity to figure out at the best of times.
But you know the most distressing thing about this? IT security is easy. You don’t need potions or secret incantations. You do need a healthy distrust of bad people, and it never hurts to have an entirely reasonable basic knowledge of what the various hardware and OS vendors have already given you. Most IT security is about as complicated as buying two largeish dogs to sleep in the house, and then remembering to lock the doors at night or when you leave in the morning. It really is that simple.
And we can’t do it.
Psst! Wanna know a secret? The quickest way into a file system is bribery! I kid you not! Social engineering is the crackers’ most valuable tool. Remember this!
When I was doing a couple of infosec jobs for WA government bodies, I noticed that there was an older way of doing things over there (as opposed to Fed, or Vic/NSW and to a lesser extent QLD). When I inquired to my colleagues about why things were being done in this manner, they explained to me that at that point (2 years ago) that WA was roughly 5 years behind the other states previously mentioned in their infosec maturity.
The basis for this was there wasn’t much support for it at the state government level, and there were no major compliance requirements to encourage the government to increase their security maturity. This being said, I did meet a number senior managers who did make considerable effort in rectifying their security position. However, without some form of [compliance] requirement, its very unlikely to occur more broadly across departments (no appetite = no money).
I will note here however, that the Office of the Auditor General (OAG) has made good efforts to do infosec auditing, and has made recommendations to government bodies to fix things up. You can find a report here: https://audit.wa.gov.au/wp-content/uploads/2014/06/report2014_14-ISAudit.pdf (page 46 is probably the most beneficial part of the report). Page 51 – “Only 40 per cent of agencies met our benchmark for effectively managing information security, down four per cent from the previous year. It is clear from the basic security weaknesses we identified that many agencies have not implemented fundamental security controls to secure their systems and information”. In my opinion, its difficult to mature quickly when being pushed by an audit rather than being pulled by whole of government strategy.
My experience with my clients in understanding the requirements upon them, was that there were some statements in some laws (I don’t recall the Acts) that have some requirements about protection and retention of information, but there was no government framework for which the government bodies had to comply with. I will leave this here: https://publicsector.wa.gov.au/document/public-sector-commissioners-circular-2010-05-computer-information-and-internet-security
Something else we do need to understand is that Western Australia didn’t have it’s own Chief Information Officer (CIO) body (I believe) until 1st July 2015, which held its first meeting on 15th of September 2015. This is something that Victoria did have and benefited under, the Victorian Government CIO Council (since 2012?). http://www.enterprisesolutions.vic.gov.au/wp-content/uploads/2016/02/SEC-POL-01-Information-Security-Management-Policy.pdf
Perhaps we will see a maturation of security within WA government departments under the OGCIO given security given that ICT security policy now falls under them. “Committee members considered issues including the GovNext proposal, a new model for procuring and negotiating large scale ICT services, a new whole of government digital security policy, ICT business continuity and disaster recovery policy and governance for the ICT Renewal and Reform Fund.” http://www.gcio.wa.gov.au/News/CIO-Council-has-first-meeting.aspx
@Gordon451 “Most IT security is about as complicated as buying two largeish dogs to sleep in the house, and then remembering to lock the doors at night or when you leave in the morning. It really is that simple.”
What a complete load of rubbish! Clearly you have no concept of IT Security.
Today’s IT Security is driven by complicated multi-layer technology, process, policy and people who either know what they are doing or they don’t.
It is the latter that is the root cause of most issues, from the very highest board level down through managers and the goons at the wheel. They all think they know security and either miss things completely or go out and throw every security device they can lay their hands on at the problem, and then wonder (due to lack of understanding or piss poor configuration) why they still get hacked or hit with Ransomware.
Regarding PTA’s alleged hack, my money is on the fact that they haven’t a clue what a real hack attempt is and some stupid overpaid and under talented person made a bad decision and pulled the plug in panic.
Time will tell……
Comments are closed.