The Western Australia Auditor General, Colin Murphy, has identified significant vulnerabilities to cyber threats in all of the agencies examined for his 2011 Information Systems Audit Report.
According to the report (PDF) “benign cyber attacks” were carried out on 15 test agencies — including the Department of the Attorney General, the Department of Education, and the Department of Health —via the internet while USB devices containing software that would ‘phone home’ and send network specific information across the Internet if plugged in and activated were also scattered across the agencies to test their staff.
The Auditor General’s office, which also assessed whether the 15 agencies had configured their IT systems and had supporting policies and processes in place to detect, manage and appropriately respond to cyber attacks, found serious weaknesses in security.
“None of the agencies we tested had adequate systems or processes in place to detect, manage or appropriately respond to a cyber attack,” the report reads.
“Only one agency detected our attacks. The failure of most agencies to detect our attacks was a particular concern given that the tools and methods we used in our tests were unsophisticated.”
The audit also found 14 of the 15 agencies tested failed to detect, prevent or respond to the office’s hostile scans of their internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.
“We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans,” the report reads. “We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.”
The report also noted that eight agencies plugged in and activated the USBs the Auditor General office had placed. These devices subsequently sent information back to the office via the Internet.
“This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established,” the report reads. “Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable.”
The report further notes that the office was able to breach the security of these agencies despite the majority of them recently paying security contractors up to $75 000 to conduct penetration tests on their infrastructure.
“Some agencies were doing these tests up to four times a year,” the report reads. “In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated.”
Follow Tim Lohman on Twitter: @Tlohman
Follow Computerworld Australia on Twitter: @ComputerworldAU