Once again, Australian government agencies fail cyber security audit

Only one agency out of 18 meets mandated information security guidelines. Perhaps a domestic secure-cloud provider could help overcome ransomware risks.

Failure frustration anger user man worker

Australian government agencies have turned in yet another poor showing in the latest audit of their information-security controls, but newly implemented cloud technology could help protect them against their ineptitude by locking data against compromise.

The continuing weak security posture of major agencies was identified in a newly released Australian National Auditor’s Office (ANAO) review of financial controls—the latest in a series of performance audits that stretches back to 2013.

The Protective Security Policy Framework (PSPF) mandates Australian agencies to improve security by implementing core elements of the Australian Signals Directorate (ASD) Essential Eight guidelines—application whitelisting, patching applications, restricting administrative privileges, and patching operating systems—as well as other controls relevant to managing their cyber risk.

The Cyber Uplift security program has been largely unsuccessful

In the last year, some 25 government agencies were targeted for fast-tracked security improvements in the Cyber Uplift program, a sprint program managed by the Australian Cyber Security Centre (ACSC) that was intended to help them quickly remediate potential cybersecurity risks.

Yet the review—which surveyed 18 government entities to evaluate their ability to identify cyber risks and their potential impact on financial reporting—found that all agencies but one were “significantly below” security requirements set out by the PSPF’s InfoSec-10 Policy. “There was no evidence that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks since 2013,” ANAO concluded.

Ten of the examined agencies complied with requirements around restricting administrative privileges, four were using application whitelisting for security protections, and three were on top of patching operating systems and applications.

Just two agencies complied with guidance around multi-factor authentication, while just one agency had successfully implemented application hardening and one had successfully implemented controls over the use of macros in productivity suites.

Although all entities regularly back up “financially significant data”, their lack of compliance with PSPF guidance around backups—only six entities were conducting daily backups in line with requirements—suggests many remain exposed to cyber attacks such as ransomware, defence against which has been tied to having a strong backup framework and effective data recovery mechanisms.

Many of the examined entities cited complexities in existing systems as the reason they had failed to implement so many controls, with many progressing application consolidation plans for “lowering their attack surface and minimising risk.”

Those plans were generally due for completion by July 2020, although it wasn’t clear how the disruption of the COVID-19 pandemic would affect this timeframe. The ANAO did weigh in on the COVID-19 situation, warning that the disruption it has created “increases the importance of strong IT security and business continuity controls”.

A ransomware solution in the Australian cloud?

This poor security situation could bode well for AUCloud, a government-focused sovereign cloud provider that has become an early adopter of ransomware-protection technology built around Veeam and Cloudian’s joint implementation of Amazon Web Services (AWS) S3 Object Lock technology. Object Lock—which is described as a ‘write once read many’ (WORM) capability for cloud data—prevents changes to data in Amazon S3 cloud storage buckets.

Because ransomware relies on encrypting existing files, the technology promises a way of making agencies’ backups impervious to modification.

Because AUCloud is certified to manage sensitive data up to the government’s Protected level, availability of an ‘immutable backup’ service could be a shot in the arm for efforts to improve overall information-security posture. PSPF InfoSec-10 guidelines specify that agencies should make “daily backups of important new or changed data, software and configuration settings, stored disconnected, retained for at least three months.” Agencies should also test recovery regularly, to ensure that data can be quickly restored as needed in the event of a cyber attack.

Ransomware remains a major threat for Australian government agencies, with Verizon’s Data Breach Investigations Report (DBIR) 2020 noting that more than 60 per cent of analysed data breaches involved ransomware.

Copyright © 2020 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022