Don't assume that government security is any better than yours

Assumptions that government organisations' strict governance requirements make them more secure than conventional businesses are a dangerous fallacy, a security expert has warned in the wake of a growing string of high-profile data breaches in both the public and private sectors.

Shortcomings in government departments' IT security are often never discovered until hackers lay their troves of personally identifiable information (PII) bare for the world to see, Nuix senior vice president for cyber threat analysis told CSO Australia in the wake of a massive and damaging data breach at the US Office of Personnel Managment (OPM) whose 21.5 million victims include Pogue himself.

With this week's publication of the massive Panama Papers archive of stolen confidential information in a searchable format for all to view, the world had yet another example of the consequences – this time for Panamanian law firm Mossack Fonseca – when data breaches cannot be detected or stopped in time. The massive size of the Panama Papers breach – which at 2.6TB in size dwarfs the OPM breach in terms of its sheer volume of data if not its national-security implications – has fast become yet another bullet point in the argument for better controls over private and public-sector information.

“Any government agency that retains that kind of data needs to understand that there is tremendous value for that data on the black market and the attackers want it,” Pogue said, “so they are going to actively pursue it. And, as evidenced by recent breaches in the Philippines and Turkey, it's not just the US or Australia they're going to target; it's literally anything, anywhere.” As in the private sector, government decision-makers often laboured under the assumption that they are more secure than they actually are.

“These government systems are assumed, because it's the government, to be more comprehensive and to deploy more controls,” Pogue said. “But when you peel back the covers, they don't. They are just as holey, just as vulnerable and have as many issues and flaws as other systems – and in some cases, even more so.' Even those that try to improve security often find themselves hobbled by the weight of official process, he added.

“They're dealing with taxpayer money and budgets in a way that private industry isn't: you have people almost with one hand tied behind their back. They are dealing with an exhaustive and sometimes overburdened procurement process where getting the tools and technologies that they need is so difficult and time-consuming that just to do the right thing takes several orders of magnitude more effort than it does in private industry.”

Ponderous procurement processes will get a boost from the government's 2016-17 budget, which includes $12.4m “to upgrade information technology systems to support greater transparency in the reporting of procurements conducted by limited tendering” associated with the Trans-Pacific Partnership trade agreement – which is expected to improve Australian access to overseas markets and vice versa. The effectiveness of such changes will be judged over time, but in the short term both government and non-government bodies should proceed as if their confidence around security is somewhat optimistic.

Yet this may prove difficult for executives that, studies repeatedly show, are more overconfident and underincluded around organisational security planning than their peers overseas. Strong executive involvement in security planning has been linked with an increase in organisational confidence in IT security even though many executives blame security breaches on bad user behaviour.

They wouldn't be entirely wrong, Pogue says: “there are a whole lot of IT hygiene basics that can be done – things like network segmentation, data encryption, and proper use of firewalls – but we still passwords being used that are dictionary-based words, very simple vendor-supplied or even default passwords.”

“The sorts of things that can make attackers' lives ore difficult, really aren't being done at scale,” he continued. “We've collectively got 20 years' worth of data about how attacks take place, but it's like we haven't learned our lessons and haven't taken cues from other industries that have dealt with this. We're not even really putting up a good fight.”

Join the CSO newsletter!

Error: Please check your email address.

Tags private sectorNuixPanama Papershigh-profile security attacksgovernment securityOPMPIIpublic sectortargetsdata breaches

More about CSONuix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts