Qld IT systems left unpatched, used in botnets
As part of the Queensland government's IT Audit, independent auditors performed an assessment of the level of information security procedures in place across a number of departments and agencies.
It first addressed the previous attacks that had taken place against the state government in the past, acknowledging that the attacks on its sites in July by Anonymous were made possible due to unpatched software.
However, it also noted that the sites were due for decommissioning, and/or the functionality that gave the attackers access were no longer being used.
The report also shed light on the number of distributed denial-of-service (DDoS) attacks that the government had seen since early 2012, when shared services provider CITEC put in place the capability to monitor for such attacks. It found that in 2012, the state government had been subject to 17 such attacks, but that they had only lasted for a few minutes to half an hour.
One of the more notable attacks was against the Queensland Police Service, which sustained attacks from over 100,000 endpoints. Mitigating these attacks was possible due to CITEC stepping in to assist the individual departments.
In particular, the report noted that by themselves, departments are not equipped to diagnose or respond to DDoS attacks, and that it would not be economical for each department to duplicate such capability. CITEC's functions are due to be discontinued following recommendations from a previous independent commission.
New findings were made by the auditors performing a "light" network scan for vulnerabilities across 65 websites. Of those targeted in the scan, 11 percent immediately detected and blocked the scan, and about half of the departments reported the suspicious behaviour.
Of the 58 hosts that did not block the scan, the report found that 78 percent had issues that needed further investigating by the host's administrators. Overall, the report found that 41 percent of sites contained medium or high-risk issues, and 12 percent contained high-risk issues.
Although many sites used SSL encryption, 45 percent were found to have been mis-configured.
The auditors recognised that the scan itself was potentially missing vulnerabilities that were known to exist. For the purposes of the audit, they conducted a manual review of the 65 hosts to retrieve the header information (such as version information) for software running on those servers audited.
It found that 20 percent of the systems audited were running old, vulnerable software, and that three of them used software past its end of life.
Specifically, the audit came across versions of Apache with known vulnerabilities that had not been patched since 2007, versions of PHP that reached end of life in 2010, and Microsoft SharePoint instances that had not been updated since 2008.
The use of outdated software continues on the desktop application side, with the report singling out the government's use of version 6 of Microsoft Internet Explorer (IE6).
"The Queensland government's 57 percent use of this outdated and relatively insecure web browser contrasts with browser use in Australia, where IE6 represents less than 1 percent of browser usage."
With these vulnerabilities being a potential opening for attackers to exploit, the audit also examined networks for suspicious activity.
It found that many government networks are "under constant attack", "contain some computers that are compromised", and "are involved in attacks against other systems".
The report noted that traffic is being allowed through perimeter defences, and that its audit probably has not detected the full extent of the problem, given the number of unpatched systems.
In particular, government systems were used to contribute to the TDL-4 and Torpig botnets, and even instances of Conficker were detected.
"Queensland government needs visibility and understanding of traffic flowing in and out of its networks. Based on recurrent Queensland Audit Office reports, and the traffic seen, some agencies continue to have limited detection and response capabilities."
Queensland state departments do have an information security standard that they are supposed to draw on — Information Standard 18 (IS18) — however, the audit found that its mandatory requirements are not being treated as such.
Only 38 percent of agencies reported being fully compliant with IS18. About 19 percent said they were substantially compliant, 34 percent said they were partially compliant, and 7 percent admitted they were not compliant. About 1 percent claimed that the standard did not apply to them.
"Agency consultation feedback confirmed a portion of agencies are not working towards continuously improving levels of compliance, but rather, are seeking a middle position compared to other agencies. This position reflects the reality that there is little enforcement of 'mandatory requirements' or significant consequence for non-compliance."
The report highlighted a lack of information security professions in the government sector as an issue contributing to the problem. It pointed to a former review of security governance by Deloitte Australia in 2011, which found that departments often have as little as 0.1 full-time equivalents focused on information security.
Furthermore, the report noted that these professionals have decreased in number by 14 percent between June 2012 and September 2012.
"The reduction in security resources will place further pressure on the already limited security expertise within Queensland government."
For those that are still at their posts, however, the report pointed out many of the good activities that it has seen over the past 12 months. These included proactive security reviews; self-testing of infrastructure and services; the work undertaken by the government's Virtual Response Team; and the informal sharing of policy, guidelines, and planning documents between departments.