When Australia’s Prime Minister Scott Morrison fronted a hastily convened media pack on a cold midwinter Canberra morning on the 19th June, it became clear in seconds that Australia’s national cyber security alert level had just shifted up a gear.
Flanked by Defence Minister Senator Linda Reynolds, Morrison revealed that the Australian Cyber Security Centre was in the process of battening down the nation’s IT security hatches, not just for the federal government but states, councils, industry and academia.
It was a message that sent an immediate chill down the spine of decision makers charged with signing-off on organisational cyber security settings. What had sometimes been relegated to a compliance issue just became discomfortingly real, especially around threat mitigation.
The message from the very top was clear. Late passes and extensions just won’t cut it anymore. Get secured – or get rumbled.
Cyber uplift just got real
Leading cyber security solution providers acknowledge there is work to be done across both the technology industry and government to rise to the elevated security challenge.
Thomas Fikentscher, regional director ANZ for cyber security leader CyberArk, believes renewed commitments by both the federal government and states like New South Wales, which has earmarked $240 million over four years to boost cyber security capability, are timely and valuable.
“Providers and government must work together to defeat threats,” Fikentscher says. “Education and understanding are key, so we’re keen to help demystify cyber and make key concepts accessible across government. We’re putting real resources into that.”
Australia’s “go-to” cybersecurity benchmark for government organisations and critical infrastructure remains the Australian Signals Directorate’s ‘Essential Eight’, developed specifically to harden systems against malicious intrusion and compromise.
While it is roundly accepted that the Essential Eight are a necessary and effective security framework, actually achieving compliance is a lot harder than it sounds, almost certainly one of the reasons why the executive arm of government has gone on the front foot to raise awareness.
Nobody realistically expects agencies to publicly disclose their vulnerabilities or weak spots, but, at a broad level, evidence highlighting the urgent need for improvement is clear and compelling.
Behind the Essential Eight ball
In May 2020, the Australian National Audit Office released a report that probed 18 agencies –including Defence, Services Australia, Home Affairs and Tax – as to how their human resources and financials software rated against the Essential Eight maturity index.
The stand-out in the ANAO’s assessment of maturity of agency mitigation strategies was the need to “restrict administrative privileges” – or limiting the number of users and accounts with scaled-up access, like systems administrators or other users with high levels of technical authority.
Out of the 18 agencies assessed by the ANAO, eight were found to be non-compliant with the requirement to restrict privileged access, a figure that urgently needs to change.
Why privileged access management matters more than ever
As the Australian Cyber Security Centre (ACSC) prudently observes in its outline of the Essential Eight, privileged accounts – especially for administrators of networks, applications, cloud accounts and data holdings – remain a bullseye target for malicious actors. Why? Because attacks seek to abuse privileged access in order to get to what they really want. To meet this challenge, usage of privileged access management (PAM) allows attacks that compromise privileged credentials to be contained.
By proactively managing and rotating high-value ‘privileged’ credentials and limiting user access to only the information and tools needed to perform their immediate role, an attacker’s route to critical data and assets can be contained, reducing their ability to exfiltrate information or disrupt operations.”
“Admin accounts are the “keys to the kingdom”. Adversaries use these accounts to gain full access to information and systems,” the ACSC cautions.
That risk is increasing as malicious actors – both nation state and criminal – look to sophisticated and highly personalised attacks like phishing to trick well-meaning staff into exposing their access credentials.
These collaborative times
Limiting privileged access has become critically important in the contexts of the worldwide push to work from home, coupled with the need for once-discrete organisations to collaborate for a common good.
The concept of the National Cabinet, or its sub groups around transport, logistics and social services are just a few examples of how once-disparate organisations have urgently come together.
In times of crisis, authorised access to some and the unimpeded flow of secure data needs to run smoothly between banks, supermarkets, hospitals transport providers and governments – aside from the Commonwealth, Australia has eight state and territory regimes not to mention hundreds of councils.
So far governments have pulled together to create a highly effective response to control COVID-19, but what’s less discussed is that the sheer size of the attack surface now available to malicious actors has increased exponentially making intrusion attempts a matter of when rather than if.
This in many ways doubles the need and utility of PAM solutions, especially when they can accelerate authorised access as well as tightly controlling it, eliminating the need for fudges like poor passcode management.
Used judiciously, a good PAM solution can turn information security into a productivity boosting operational strength as opposed to constantly shifting compliance cost centre.
“As public sector organisations go cloud first and embrace persistent development through approaches like DevOps, privileged access management becomes paramount,” Fikentscher says.
“There’s no magic bullet, but explaining how and why rock-solid solutions work is part of the journey. CyberArk is up for that conversation, no matter how big the department or small the council.”
Click here for CyberArk’s eBook: actionable tips and essential insight on privileged access management.