Your SlideShare is downloading. ×
0
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Lessons learnt from the 2012 cyber security audit of Western Australian State Government Agencies

552

Published on

Slides from the ECU Security Research Institute seminar Tuesday 16 October 2012, presented by Dr Andrew Woodward. …

Slides from the ECU Security Research Institute seminar Tuesday 16 October 2012, presented by Dr Andrew Woodward.

This year saw the Security Research Centre at ECU complete a second round of cyber security testing for the State Office of the Auditor General.

The previous audit highlighted numerous deficiencies and a lack of basic network defences across all agencies. Whilst the results this year revealed that the situation has improved somewhat, there are still issues.

This talk will discuss the methodology used by the team at Edith Cowan University, generic vulnerabilities and findings, and will speculate on the role of the Common Usage Agreement and Office of the Chief Information Officer.

Speaker Profile
Dr Andrew Woodward has over 15 years experience in the IT industry and consults to industry and government on network security and digital forensics issues. His main consultancy focus is securing networks and critical infrastructure through vulnerability assessment and penetration testing. Andrew is also involved in research in network security, cyber forensics research with a focus on computer and network forensics, and data recovery.

The ECU Security Research Institute (ECUSRI) is a research unit with Edith Cowan University.

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
552
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Edith Cowan UniversitySecurity Research Institute Lessons learnt from the OAG audits of State Government Agencies Andrew W d A d Woodward d Security Research Institute Copyright 2012 - Security Research Institute, Edith Cowan University
  • 2. Edith Cowan UniversitySecurity Research Institute Agenda • Results of current and previous audits • What we did and how we did it • Impact of audits on cyber security • Lessons learned • A few facts about the threat landscape • What role the CUA? • Do we need a State CIO? • Conclusion Copyright 2012 - Security Research Institute, Edith Cowan University
  • 3. Edith Cowan UniversitySecurity Research Institute OAG cyber audit – key questions • Has the agency conducted risk assessments for cyber threats? • Is there a security policy and/or framework that consider cyber th t ? id b threats? • Are controls in place to effectively detect and manage cyber intrusions? • Are incident response p p plans and recovery y processes in place?
  • 4. Edith Cowan UniversitySecurity Research Institute What we did• Technical controls audit – U d open source t l t scan websites t Used tools to b it to identify ports, services and vulnerabilities – Use of other information gathering tools to identify other servers and information assets – Penetrated selected systems• Human factor audit – Sent spear-phishing emails to target organisation(s) i ti ( ) – USB drops with benign “phone home” code
  • 5. Edith Cowan UniversitySecurity Research Institute Summary of 2011 audit – results • Fourteen of the 15 agencies we tested failed to detect, detect prevent or respond to our hostile scans of their Internet sites. • W accessed the i t We d th internal networks of three l t k f th agencies without detection, using identified vulnerabilities f l biliti from our scans. W did not t t th We t test the identified vulnerabilities at the other 12 agencies. • Eight agencies plugged in and activated the USBs we left lying around.
  • 6. Edith Cowan UniversitySecurity Research Institute Summary of 2011 audit - results • Twelve of the 15 agencies had not recognised and addressed cyber threats from the Internet or social engineering techniques in their security policies. • Ni agencies h d not carried out risk Nine i had t i d t i k assessments to determine their potential exposure to t t external or internal attacks. l i t l tt k • Seven agencies did not have incident response plans or procedures for managing cyber threats from the Internet and social engineering.
  • 7. Edith Cowan UniversitySecurity Research Institute Summary of 2012 Audit • In one agency we identified a vulnerability in their online payment system that would allow fraud to be committed • I another agency we uploaded non-malicious fil In th l d d li i files to their web server • We identified three significant cross-site scripting (XSS) vulnerabilities on three of the agencies’ web servers. The web content management systems for each of these agencies were also identified
  • 8. Edith Cowan UniversitySecurity Research Institute Summary of 2012 Audit• Two agencies were potentially vulnerable to SQL injection (not tested)• At one agency we obtained personal and sensitive information of 17 employees from scans of web servers• O agency had not applied any software updates One h d li d f d to its web server for more than two and a half years. As A a result, this particular server h d h d d of l hi i l had hundreds f vulnerabilities, some of these could provide system level access t servers, while others allowed th l l to hil th ll d the interception of information
  • 9. Edith Cowan UniversitySecurity Research Institute Summary of 2012 audit • Three other agencies also failed to apply software updates leaving them vulnerable to some exploits exploits. • USB sticks were left at agencies (again) and were activated b several agencies. H ti t d by l i However, th these were blocked by ServiceNet. • ServiceNet reported traffic from within government networks attempting to establish external connections which were automatically denied. • Some USBs did phone home successfully from p y private addresses (again)...
  • 10. Edith Cowan UniversitySecurity Research Institute Summary of 2012 audit • Spear phishing emails were sent to one agency, and within minutes of sending out the email we received an autoreply confirming that the email had passed through protective filtering services and was reaching email in-boxes. • Th email was only sent t one agency h The il l t to however there were many employees that clicked on the link from different agencies within one d f diff t i ithi day.
  • 11. Edith Cowan UniversitySecurity Research Institute Impact of audits • IPS capability has now been implemented by ServiceNet, ServiceNet providing protection for a number of agencies and blocking nuisance traffic • Awareness of social engineering has been raised • The new ISMS specific CUA references the cyber audit and li di d lists vendors who can assist with relevant d h i ih l issues: “Recent Auditor General reports (June 2011) concluded generally that agencies had failed to take a risk-based approach to identifying and managing cyber threats, and to meet or implement g g g y , p good ppractice guidance and standards for computer security.”
  • 12. Edith Cowan UniversitySecurity Research Institute The most feared object in WA? Buyers Guide – Information Security Management Services: CS14998
  • 13. Edith Cowan UniversitySecurity Research Institute Lessons learned • Patching, patching, patching! • Governance – Lack of or flaw in tech control can often be of, flaw, traced back to governance issues • Information security management -> risk > management – Where are the information assets? – Who owns them? – Have cyber specific threats been identified?
  • 14. Edith Cowan UniversitySecurity Research Institute Lessons learned (cont) • Policy – lack of (cyber incident policy) – lacking – who to report to and when g p – lack of review phase • Over reliance / focus on technical controls – DSD list (top 4 are technical) – CUA (testing services category technically focused) • People continue to be the softest target – User education No. 8 on the DSD list...
  • 15. Edith Cowan UniversitySecurity Research Institute Tech is not the answer you seek “The more sophisticated the technology, the more vulnerable it i t primitive attack. l bl is to i iti tt k People often overlook the obvious.” Tom Baker as Doctor Wh i Th Pirate Pl T B k D Who in The Pi Planet (19 8) (1978)
  • 16. Edith Cowan UniversitySecurity Research Institute Threat landscape Source: http://www.mandiant.com/threat-landscape/
  • 17. Edith Cowan UniversitySecurity Research Institute Source: http://www.mandiant.com/threat-landscape/
  • 18. Edith Cowan UniversitySecurity Research Institute New challenges • BYOD and cloud bring new challenges to ISM in general, and i state government i l d in t t t agencies – Multinational banned BYOD, then found they had 7000 in the o ga sa o ad 000 e organisation... • An increasing shift towards targeting the human factor not the tech factor, – Being reported increasingly in cyber security briefs
  • 19. Edith Cowan UniversitySecurity Research Institute The weakest link...
  • 20. Edith Cowan UniversitySecurity Research Institute Suggestions • Increase security education training and awareness programs (SETA) • Follow ISO 27000 cyclical approach to ISM: Plan, Do, Check, Act • Implement risk management as a subsidiary of information security management – Identification and ranking of information assets; Identify owner of information assets • Metrics and measures!!! While it works, security is y seen as a cost, not a benefit...
  • 21. Edith Cowan UniversitySecurity Research Institute Common Use Agreement • Pro’s – Li it who can provide services (/idi t filt on) Limits h id i (/idiot filter ) – Provides consistency to agencies seeking services – Th Information Security Management section contains a The I f ti S it M t ti t i link to the cyber health check spreadsheet – very clever! • C Cons – “Testing Services” category focuses on tech too much: not as holistic as it could b ? t h li ti ld be? – Evidence found in audits would suggest that the previous CUA wasn’t working, will this one be any better? wasn t working
  • 22. Edith Cowan UniversitySecurity Research Institute State Office of the CIO • Audit has played a role in improving Info Sec across WA agencies i • It is a useful tool to “prompt” agencies to prompt improve their security • Wh t if they don’t k What th d ’t know h ? how? • Smaller agencies do not have the resources g that larger agencies / corporations possess • They are held up to a standard which doesn’t doesn t exist (fair criticism)
  • 23. Edith Cowan UniversitySecurity Research Institute State Office of the CIO • Finance currently leading the cyber charge, and th CUA providing h lth check i good, d the idi health h k is d but is this the aim of this function? • Would a central agency which creates a standard and provides advice to agencies on ISM improve security?
  • 24. Edith Cowan UniversitySecurity Research Institute Conclusion • Overall, cyber security is good - always room for improvement • Most organisations overly reliant on technical controls – need more f t l d focus on people and policy l d li • There appears to be a disconnect between what the government is saying and what agencies are hearing - a State cyber security standard or Office of the CIO may be helpful • Blue USB thumb drives are to be feared Copyright 2012 - Security Research Institute, Edith Cowan University
  • 25. Edith Cowan UniversitySecurity Research Institute The end? • Questions or comments? • Contact the Security Research Institute for y further information: e: sri@ecu edu au sri@ecu.edu.au p: 08 6304 5176

×