Western Australia's Office of the Auditor General (OAG) has made six recommendations to state government agencies after it was found six agencies had previously been the target of malware campaigns.
According to the OAG, the six agencies probed -- which included the Department of the Attorney General, Department of Mines and Petroleum, Department of Transport, Main Roads Western Australia, and the Office of the Government Chief Information Officer (OGCIO) -- were under constant threat, which it said highlighted the need for improved central governance arrangements to identify, warn of, and prevent attacks.
In its report [PDF], Malware in the WA State Government, the OAG said as a result of the audit, it made "detailed recommendations" to each agency that came under the microscope. The explicit details were not published, but instead, the OAG offered up the broader six recommendations it made, which included an in-depth assessment of the risk to the agency malware poses, improving any controls the OAG identified as ineffective, and that each agency consider additional controls to better secure its networks, systems, and data against malware.
Under the careful watch of the OGCIO, the Auditor General said it wants to see the WA public sector consider methods to foster "collaboration, information, and resource sharing" between agencies. It also wants the public sector to gather information to properly understand the threat posed by malware and other cyberthreats to the state government.
"Without central guidance and support, agencies work in isolation," the OAG said. "There are few formal avenues for collaboration, support, and resource sharing. Increased cooperation and sharing can reduce costs to agencies through economies of scale."
The OAG's final recommendation is that the OGCIO continue the rollout and implementation of the Digital Security Policy, including its supporting guidelines and controls.
The purpose of the state's whole-of-government Digital Security Policy is to provide direction for the adoption and maintenance of security protection controls in digital information and digital information systems.
Pointing to a recent report by FireEye-owned cyberforensics firm Mandiant, the OAG said that jurisdictions with better central coordination have a more mature approach to security, resulting in infections and breaches being found and remediated more quickly.
"A whole-of-government view of cyberthreats allows for properly informed and more efficient security programs," the Auditor General said.
As state agencies are not required to report malware incidents to a central agency, the OAG said no single body was able to provide it with an overview of the size or nature of the malware threats faced.
In performing its audit, the OAG said it observed malware related communication on all networks tested, with the attacks believed to have originated from 18 different countries, including Australia.
Specifically, two agencies had signs of persistent malware infections that had bypassed the agency's security controls, with one agency experiencing a single infection that had been active for most of the 12 day sample period, the OAG said. The other agency had in excess of five infections active for approximately two days, with at least one computer reinfected during the assessment period.
In its report, the Auditor General highlighted that IT control failures are still common among government agencies, with testing revealing all agencies had some control failures, or missing controls.
"Common issues were around missing security patches and outdated operating systems," the report said. "We also noted problems with management of anti-virus software, assignment of access rights, and network design. These ineffective or missing controls place agencies at risk of malware infections and breaches."
In addition, the OAG highlighted that people are the weakest link in an organisation, and that state agencies were not immune to the trend.
"People are essential for strong defence," the OAG said. "Agencies cannot rely solely on automated tools, as these tools can only deal with known threats. Skilled professionals are required to monitor the IT environment and identify issues proactively."
All of the agencies probed had IT staff working in information security roles, the OAG said, noting some were "fortunate to have more than one".
The OAG also found that most agencies did not provide adequate awareness training for its staff, and many of the malware attacks observed within the agencies required some level of interaction from a staff member.
The OGCIO was established in July 2015, with Giles Nunis officially appointed as the first government chief information officer for WA the following October.
At the time, WA Premier Colin Barnett said Nunis has an important role to play in helping to stabilise the government's IT costs, develop a whole-of-government IT strategy, and build the capacity of WA's growing IT sector.
"The government spends AU$1 to AU$2 billion on IT and this needs to be strongly managed to ensure we deliver the best value to West Australians," the premier said at the time. "Nunis has the right combination of professional skills and practical experience, with a fundamental understanding of the private and public sectors and how to negotiate and deliver large IT projects."