Agencies fall short of Australian Government security goals: ANAO
An audit conducted by the Australian National Audit Office (ANAO) has said that seven Commonwealth agencies that the audit office looked at did not meet the top four security strategies made mandatory by the Australian Government last year.
ANAO said its conclusion applied not only at the time the audit was conducted in October 2013, but would still be correct looking forward to 30 June 2014, even after each agency had endeavoured to meet its obligations.
The audit looked at the information security of Australian Bureau of Statistics (ABS), Australian Customs and Border Protection Service (Customs), Australian Financial Security Authority (AFSA), Australian Taxation Office (ATO), Department of Foreign Affairs and Trade (DFAT), Department of Human Services (DHS), and IP Australia. With each agency's compliance against the Australian Signals Directorate's top security recommendations — application whitelisting, application and operating system patching, and minimising of administration privileges — tested.
Each agency, while protected from internal security issues, was found to be insufficiently protected against external attacks, as would remain so at least until the middle of 2014.
"The agencies had security controls in place to provide a reasonable level of protection from breaches and disclosures of information from internal sources. However, this is not sufficient protection against cyber attacks from external sources," the audit said.
"Agencies further advised that factors affecting their current security posture and level of compliance with the four mandated strategies included: competing operational priorities, for example, ICT resources must be allocated to deliver a range of business outcomes; resource restraints; and accessing specialist skills."
Throughout the report, the ANAO did not identify any agency's compliance or non-compliance, citing a risk of "disclosing sensitive information about agency ICT systems".
Looking into the use of whitelisting, the ANAO found that the default policy in four agencies was to allow arbitrary software to run. Three agencies used whitelisting on desktop machines, and one also used application whitelisting on its servers, but ANAO determined that in most cases, the criteria used were simple certificate and folder-based rules.
"The ANAO raised concerns when it observed, in the case of two agencies, that their application whitelisting was set to ‘audit only mode’, which simply logged events that application whitelisting would have blocked, had it been enabled," the report said. "Both agencies immediately rectified this shortcoming."
The verdict on patching applications and operating systems was no better, as ANAO said that although agencies had a patch management strategy, and it often worked for operating system vulnerabilities, it was inadequate to cover application issues.
"In all cases, agencies were non‐compliant with the requirements to apply critical security patches within two days from the release of the patches, and only two agencies had demonstrable patching practices enabling them to respond to vendors' routine or ad-hoc patch releases, such as Microsoft's monthly security patch release," ANAO said.
"All agencies had mitigating controls to prevent attacks or resolve issues to their systems where known vulnerabilities could not be patched."
While the management of privileged accounts was better across the board, ANAO located a problem with a lack of auditing of administrative account actions.
"For all agencies: administrative users held separate accounts to perform system administrative duties; were denied email accounts and Internet access; and privileged accounts were controlled and auditable," the audit said. "However, five of the selected agencies had shortcomings in processes used to capture and maintain audit logs for privileged user accounts, and there were also inconsistent practices across agencies in the administration of group policies."
"Further, the ANAO’s assessment of agency policies to capture and maintain audit logs for privileged user accounts, found that in most cases the policy was not enforced.
"This is a systemic control weakness that raises questions as to how effectively agencies can identify, respond to, or investigate unauthorised access to privileged user accounts, or inappropriate activities by privileged users."
ANAO said logical security access and change management was sound, but found that most agencies needed to tighten access to databases, and recommended that the agencies move swiftly to fix the issue.
The audit also recommended that agencies go through annual IT threat assessments, and look at compliance with the ASD's top 35 mitigation strategies.
Even though improvement in a single area would improve each agency's rating by ANAO, the audit office said looking at planned activities over the first half of 2014, all agencies would miss the June 30 deadline set by the federal government.