Govt ISP saves agencies from audit shame

State government-owned internet service provider (ISP) ServiceNet has saved a number of state government agencies from stumbling at the first hurdle of a security audit by Western Australia Auditor-General Colin Murphy.

The auditor-general conducts a security audit every year, testing agencies on their security measures. Last year, Murphy tested 15 agencies, launching attacks over the internet and scattering USBs containing malware throughout the agencies. He found that none of the agencies tested had adequate systems or processes in place to detect, manage or respond to such attacks.

This year, Murphy turned his attention to a new set of six agencies: the Central Institute of Technology, the Department for Child Protection, the Department of Finance, Polytechnic West, the Department of Premier and Cabinet and the WA Police Service. He hoped that they would show better awareness of security, following the last report.

Murphy's team downloaded tools from the internet to scope out agency systems, find vulnerabilities and map out infrastructure. Unlike the year before, however, auditors had trouble scanning agency networks, and noted that their ISP — ServiceNet — had improved its security controls.

However, the auditor-general felt that the agencies should be able to protect themselves without ServiceNet, so the ISP was asked to let attacks through its firewall, after which his team was easily able to run scans and find and exploit vulnerabilities in the various agencies.

The auditor-general found cross-site scripting vulnerabilities, as well as vulnerabilities that allowed SQL-injection attacks, online payment system fraud and files to be uploaded to a web server.

"One agency had not applied any software updates to its web server for more than two and a half years. As a result, this particular server had hundreds of vulnerabilities, which could have been easily exploited," the auditor-general noted in his report.

There were several cases of software not being updated, Murphy found, as well as outdated applications and web servers. In combination, issues such as these leave the door wide open for hackers, he said.

People, however, remain the weakest link, Murphy said. After infected USBs were spread through the tested agencies, several were plugged in to agency devices by employees and activated. When the USBs were activated, they were meant to phone home to the auditor-general. Luckily for the agencies, ServiceNet blocks traffic from within government networks attempting to establish external connections. However, some of the USBs were used from home addresses, and were able to make the call back to the auditor-general.

Since the USB attack had been mainly thwarted, the auditor-general sent a spear-phishing email through to the employees of one government agency. Not only did employees from that agency click on the "special offer" link in the mail, but employees from other agencies did, too, indicating that the email had been forwarded on to other staff.

"Once again, this demonstrated that employees were not familiar with the dangers of clicking on links, and in this test we were able to escalate access to those agencies without their knowledge," the auditor-general said.

He suggested that agencies continue to use ServiceNet for their internet access, since it has performed so well, and that they talk to ServiceNet about their security requirements. He also recommended that agencies regularly update systems and become more aware of the tools that hackers employ, so that they can create information-security policies and incident-response plans to deal with those tools.

In addition to testing the security of the above six agencies, the auditor-general also audited nine agencies — agencies that are mainly involved in managing online transactions. Five of these were using third-party providers, but four were handling card-holder information themselves, and were found not to be compliant with the payment standard PCI-DSS. He urged them to develop policies with the standard as their guide.

Lastly, the auditor-general looked at the application controls of five key business applications and general computer controls across 51 government agencies. He found that all 51 government agencies have information security control weaknesses in the areas of management of IT risks, information security, business continuity, change control, physical security and IT operations.

Although many agencies have improved on their weaknesses since last year, 20 per cent did not, the auditor-general said. He urged agencies to act on his recommendations this year.