CESG: Government risks breaches through patchy audits

A reliance on automated rather than human security monitoring of IT systems is leaving government departments in the dark about attack risks, according to the information assurance agency

The human monitoring of IT systems for security vulnerabilities and incursions is patchy across government, according to a government information assurance unit.

The big thing about monitoring is that we've dropped the ball in noticing what's going on.

– Jon Ashton, CESG

As a result of this poor and inconsistent monitoring of audit logs, there could be gaps in awareness about possible attacks and about attacks as they are happening, Jon Ashton, director of information assurance for CESG — part of the GCHQ government intelligence agency — said on Tuesday.

"The big thing about monitoring is that we've dropped the ball in noticing what's going on," Ashton told an audience at the Government ICT 2011 conference in London. "If you go into departments and ask about logs, some are being produced, but are they being looked at? Some departments are not producing logs, as there is no point if no one is looking at them."

While automated monitoring can be effective in spotting breaches, Ashton said that "serious crime actors have impressive capabilities" to break into networks. In addition, new vulnerabilities are typically discussed at week-long conferences, which leaves little room for complacency.

To improve the situation, government agencies need to balance risks by department, Ashton told ZDNet UK, depending on the level of sensitivity of data each holds. On top of this, they should take a good look at the extent to which they use automated network monitoring, he added.

"Some organisations are very good [at monitoring systems]," Ashton said. "There is a wide spectrum."

The Ministry of Justice's chief information officer, Andy Nelson, said he was satisfied his department had the correct balance for its security monitoring. "From our perspective, we are doing a good job," Nelson told ZDNet UK. "There is a balance in doing this. We have proactive monitoring services, and we have services to mitigate risk."

Nelson said that he could not speak about the security practices of the rest of central government, but said in general that automated monitoring by itself may not be enough to mitigate risk. "You can buy services that proactively monitor systems, [but] it's how you use them," he said.

The budget cuts planned for central government will not make the task of keeping networks secure any easier, according to Mark O'Neill, chief information officer for the Department for Culture, Media and Sport (DCMS) and acting chief information officer for the Department for Communities and Local Government (DCLG).

"As the sophistication of attacks grows, we need to grow the sophistication of the monitoring we do," O'Neill said. "This is a fundamental challenge we face at a time of declining budgets."

O'Neill said both the DCMS and the DCLG monitor audit logs. "We take security very seriously, and run a variety of systems to provide real-time analysis and prevention, as well as longer-term analysis," he said.

Government departments that do not have tight security are going to encounter problems when more public services move online, O'Neill argued. Cabinet Office minister Francis Maude said in November that the government wants to make online the preferred channel for services such as tax form submission, which will move online by 2013.

If you can't guarantee the integrity of your systems, you're going to have challenges in the move to 'digital by default'.

– Mark O'Neill, Department for Culture, Media and Sport

"If you can't guarantee the integrity of your systems, you're going to have challenges in the move to 'digital by default'," O'Neill said.

Jos Creese, who is head of IT for Hampshire County Council and president of the Society of IT Management (Socitm) said that auditing security logs across local government may be hampered by lack of resources. "In [Hampshire], we do a lot of penetration testing and scrutiny of logs," Creese said. "However, across local government there are a lot of small organisations, and whether they can afford that level of scrutiny, I don't know."

Creese said that at local government level, the biggest security issue IT managers face is dealing with fraud rather than national security.

"There are a lot of checks and balances around financial systems," he said. "Most of the threats come from inside. The risks are different, and the risks are lower [than central government]."