Cybersecurity consultants hired by the Queensland Audit Office were able to break into computer systems to access confidential and sensitive information held by each of three state government agencies that were recently selected for scrutiny.
The recent audit found a range of cybersecurity vulnerabilities in terms of inadequate governance, failure to implement basic security controls and some very simple mistakes like “poor password practices” in each of the three unnamed agencies. Auditor-General Brendan Worrall wants all of the state’s public servants to sit up and take notice.
He has delivered a detailed set of 17 recommendations and wants all Queensland government agencies to take a look, starting with the first three before deciding how the other 14 items apply to them.
First up is an effective information security governance framework; one of the audited agencies does not have one in place. Next is an effective system of classifying information assets according to security risk; all three had plans to do this but none have been effectively implemented yet. Third, the auditor-general says agencies must actively identify and assess the risks to those assets; results in the audit were mixed in this regard as well.
“None of the three entities could demonstrate an understanding of the extent to which its information assets were exposed to cybersecurity risks,” Worrall reports.
“All three entities need to conduct a comprehensive assessment of their information assets to determine which assets are at risk and require further controls to protect. Without this, it is difficult to know whether an entity has implemented the right level of controls to protect its assets.”
One agency had “a higher level of maturity in cyber risk management across its governance and technical mitigating strategies than the others” but the auditor-general reports his hired hackers were still able to compromise its systems. They were able to access “sensitive or non-public data” in all three bodies.
One major issue was a failure to keep track of devices and IT assets properly.
“Their processes for managing employee separations (for example, resignations, retirements, and dismissals) were not robust enough to ensure the entities knew all employees returned their ICT assets,” according to the report. “For two of the entities, we found almost 750 ICT assets (according to their records) were assigned to employees who no longer work for them. Either the entities’ asset records are out of date, or there is a risk that these assets could be used to access the entities’ sensitive information.”
In multiple state jurisdictions and at Commonwealth level, government agencies are routinely found making basic mistakes and failing to take some of the simplest precautions to defend against relatively common threats. The vulnerabilities reported in the last QAO report have a familiar ring and Worrall says they must be addressed, although he notes that doing this is “a balancing act between risk appetite and cost” in his report.
The QAO says it recognises agencies “will never be fully effective in mitigating all risks in an ever-evolving threat landscape” and there are limits to how much they can invest in cyber controls.
“None of the three entities has effectively implemented the Top 4 mitigation strategies for cybersecurity risks,” the QAO found. “This demonstrates that some other entities may also find it challenging to implement this better practice guidance.”
The Australian Signals Directorate’s Top 4 mitigation strategies are mandatory in the Australian Public Service, though the Australian National Audit Office has consistently found full compliance is rare there as well.
“As entities use more cloud-based services that provide remote access into their systems, they need to be vigilant in assessing how vulnerabilities in their service providers could expose them to cyber risks,” warns the QAO report, which also details nine basic weak points found by the penetration testers.
“They also need to make sure their users are aware of their responsibilities in managing cyber risks. In particular, we found poor password practices unnecessarily exposed the three entities to attack. Third-party providers and internal staff could be the weak links in an entity’s line of defence.”