Western Australia’s auditor-general has handed down a landmark report which details the fact that none of a wide range of government departments and agencies in the state are currently able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.
In the report published today and available online in full, WA Auditor-General Colin Murphy reveals his office recently conducted “benign” cyber-attacks on 15 different departments and agencies in the state, including major departments such as the Departments of Education and Health, those with sensitive information such as Legal Aid WA and the Department of the Attorney-General, and others such as Lotterywest.
The first wave of attacks saw preliminary scans conducted on agencies’ networks by the Security Research Centre at Edith Cowan University, using publicly available software downloaded for free from the Internet. “These preliminary scans were deliberately hostile (prolonged and continuous) in a best effort to have our activity detected without making the test a denial of service (DoS),” the report states.
The second stage, which attacked three agencies, saw information gained from the scan used to exploit security vulnerabilities, with the aim of accessing government information.
In a separate attack, the Office of the Auditor-General took a different approach, physically scattering 25 USB keys around 15 different departments and agencies, with about half left in areas open to the public such as in reception or cafeteria, and half left in are not accessible to the public.
If a government worker plugged one of the USB keys into their PC, read one of the files on it and then launched a program, the USB key would then “phone home” to the Office of the Auditor-General, telling it its location and sending back some basic network information.
The results were stark.
“Fourteen of fifteen agencies failed to detect, prevent or respond to any of our hostile scans,” the report states.
In one case, the Office of the Auditor-General tried to provoke a response by conducting a “brute force” attack on an agency web server, sending several million messages to it and noticeably degrading the agency’s network performance. “However, despite this, the attack went unnoticed by the agency,” the report states. “This was even more concerning, given that this agency had specifically engaged a contractor to identify cyber-threats.”
Using the information from the network scans, the attackers were able to then gain access to three agencies without detection. In one they obtained several usernames and passwords for databases in their network, while in others they gained access to files on network shares and login screens for web administration systems.
Lastly, the Auditor-General noted that eight agencies actually picked up the USB keys left lying around their offices, plugged them in and activated the software contained therein, despite the fact that the message contained on the USB devices, and the steps required to run the software, should have made staff “suspicious and wary”.
The audit report published this week is not the first one the Auditor-General’s office has conducted into IT security at Western Australian government agencies; it typically conducts one each year. This year, the Auditor-General went to lengths to point out that its advice from previous years about poor agency IT security was not being followed.
43 percent of departments and agencies it reviewed last year, for example, had showed no change in their approach to IT security over the year, while 15 percent had actually gone backwards by at least one measure, without making any improvements in others.
The news comes at a time when IT security is coming to forefront of the public consciousness due to a series of high-profile sustained attacks on infrastructure, as well as successful cyber-attacks on government and corporate interests.
For example, several of Australia’s major banks and a number of government agencies last week confirmed plans to replace tens of thousands of unique token authentication devices as a result of a break-in at US vendor RSA Security. In late March it was reported that at least ten parliamentary computers, including those belonging to Prime Minister Julia Gillard and Foreign Minister Kevin Rudd, had been hacked.
In addition, Sony’s PlayStation Network has recently been down for about a month through April and May after hackers broke into its network, in a security breach which could have affected more than 100 million online accounts.
State governments around Australia are seeing similar problems with their security.
In October, NSW’s auditor-general Peter Achterstraat rubbished the State Government’s IT security procedures in a report published at that time, saying the state could not guarantee to its residents that it was keeping their information secure and away from prying eyes. In the report, Achterstraat wrote that NSW had been issuing edicts about electronic information security for a decade, with agencies having been directed since at least 2001 to develop and implement security policies around how they hold personal information and certify their IT systems.
“The cyber-security threat is no longer an emerging threat — it exists now and the risk is growing,” said WA Auditor-General Colin Murphy in a statement associated with today’s report. “Agencies need to recognise the risk and take appropriate action to protect their confidential information and systems. I urge agencies to take note of the findings and act on the recommendations of this report.”