WA Auditor General finds significant security vulnerabilities in government agencies

None of 15 test agencies had adequate systems or processes in place to detect, manage or appropriately respond to a cyber attack, the WA Auditor General finds

The Western Australia Auditor General, Colin Murphy, has identified significant vulnerabilities to cyber threats in all of the agencies examined for his 2011 Information Systems Audit Report.

According to the report (PDF) “benign cyber attacks” were carried out on 15 test agencies — including the Department of the Attorney General, the Department of Education, and the Department of Health —via the internet while USB devices containing software that would ‘phone home’ and send network specific information across the Internet if plugged in and activated were also scattered across the agencies to test their staff.

The Auditor General’s office, which also assessed whether the 15 agencies had configured their IT systems and had supporting policies and processes in place to detect, manage and appropriately respond to cyber attacks, found serious weaknesses in security.

“None of the agencies we tested had adequate systems or processes in place to detect, manage or appropriately respond to a cyber attack,” the report reads.

“Only one agency detected our attacks. The failure of most agencies to detect our attacks was a particular concern given that the tools and methods we used in our tests were unsophisticated.”

The audit also found 14 of the 15 agencies tested failed to detect, prevent or respond to the office’s hostile scans of their internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.

“We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans,” the report reads. “We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.”

The report also noted that eight agencies plugged in and activated the USBs the Auditor General office had placed. These devices subsequently sent information back to the office via the Internet.

“This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established,” the report reads. “Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable.”

The report further notes that the office was able to breach the security of these agencies despite the majority of them recently paying security contractors up to $75 000 to conduct penetration tests on their infrastructure.

“Some agencies were doing these tests up to four times a year,” the report reads. “In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated.”

Follow Tim Lohman on Twitter: @Tlohman

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernmentWA Auditor General

More about Department of HealthetworkOffice of the Auditor General

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Lohman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts