The Western Australian auditor general has released a damning report (PDF) into the security of state government systems, which performed penetration tests that allowed testers to see confidential government documents and credit card transactions.
The audit probed the security readiness and response capability of the Department of the Attorney-General, Department of Education, Department of Health, Department of Mines and Petroleum, Department of Transport, Fremantle Port Authority, Gold Corporation, Landgate, Legal Aid, Lotterywest, Main Roads, ServiceNet, Synergy, Water Corporation and Western Power.
"None of the agencies we tested had adequate systems or processes in place to detect, manage or appropriately respond to a cyber attack," the auditor-general said in his report to the WA state parliament.
Agencies were asked to prepare their systems prior to the auditor-general's external and internal testing to prevent outages in critical government systems. In its external tests, the Auditor-General's Department used what it described as "freely available software" to scan an agency's public website for holes. The auditor-general's testing included performing the closest possible replication of a denial-of-service attack, as well as a brute force attack on an agency web server.
"We conducted a 'brute force' attack that made several million attempts to gain access to a web server. We noticeably degraded the performance of the agency's network without denying user services. However, despite this, the attack went unnoticed by the agency. This was even more concerning given that this agency had specifically engaged a contractor to identify cyber threats," the auditor-general's report said, adding that engaging penetration testers without a broader security awareness plan would be of little benefit.
"Nearly all the agencies we examined had recently paid contractors between $9000 to $75,000 to conduct penetration tests on their infrastructure. Some agencies were doing these tests up to four times a year. In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated. Further, they are giving agencies a false sense of security about their exposure to cyber threats."
While each agency failed to detect the intrusions, the auditor-general's team of penetration testers from Edith Cowan University specifically targeted three particularly vulnerable agency networks, which put the testers in a position to read, change and delete confidential files and even shut-down critical systems. Worse still, the auditor-general reported that it obtained usernames and passwords from one agency, gained access to network folders in another and was even able to intercept credit card transactions from another.
"The failure of most agencies to detect our attacks was a particular concern given that the tools and methods we used in our tests were unsophisticated," the report said.
The audit also revealed that user passwords were too simple and detected the presence of old and unauthorised user accounts present on agency systems.
The Auditor-General's Department also performed internal, social engineering-based tests by leaving 25 USB thumb drives lying around in various agencies. The thumb drives contained innocuous malware designed to scare off a curious user. A subroutine in the file was designed to "phone home" if accessed to track the results of the test.
"These USBs did not contain auto-executing malware, but instead relied on a social approach. An individual would have to pick up the USB, plug it in, then make the decision to read a file and then run a program. The message contained within the file and the steps required to run the program should have been sufficient to make an individual suspicious and wary," the report said, adding that the results demonstrated a fundamental lack of security understanding from agency staff.
"Eight agencies plugged in and activated the USBs we left lying around. The USBs sent information back to us via the internet. This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established," the report revealed.
Some of the USB thumb drives even found their way into home computers and computers of private organisations. Only three agencies reported the thumb drives as lost property.
"This aspect of our audit highlighted how important it is that agencies manage all the potential risks to their systems."
The auditor-general surmised that agencies were struggling to stay on top of emerging security threats, often working in siloed environments to each other.
"There is an opportunity for greater coordination across government in the area of information technology, standards and guidance for agencies."
The auditor-general recommended that all agencies should shore up their cyber defences by implementing intrusion detection gear, run security training programs for all agency staff to educate them about intrusion methods like social engineering and warned against stand-alone assessments provided by security contractors. Recommendations also included the development of proper security response protocols after it was revealed that staff in seven of the 15 agencies wouldn't know how to respond to a cyber threat.
The failing agencies acknowledged their security shortcomings and pledged to better manage their security in future by adhering to the audit recommendations.