Managing cyber security risks

This audit examined whether entities effectively manage their cyber security risks.

We addressed this by assessing whether entities:

• understand and assess the extent to which their information assets and organisational processes are exposed to cyber security risks
• design and implement effective information controls to mitigate identified cyber security risks.

We selected three entities for this audit. We do not want to compromise the security of these three entities by publicly identifying their security vulnerabilities, so we have not named them in this report. We acknowledge the three entities have different levels of resourcing and capability for managing cyber security risks.

We use the term ‘entities’ in this report to refer broadly to all Queensland public sector entities (departments and statutory bodies) and local governments.

Audit approach

Our audit included detailed technical testing by specialist security consultants including:

• a ‘red team’ assessment for each of the three entities. A red team engagement tries to find the quickest method to access an entity’s security mechanisms and compromise its sensitive applications and data. In doing so, it considers the target and resources available, and may attempt social engineering, physical entry, and data exploitation
• an ‘open source threat intelligence assessment’ to determine whether any sensitive information about the three entities could be obtained from publicly available sources
• testing whether the entities have implemented four of the 'Essential Eight' mitigation strategies published by the Australian Cyber Security Centre (ACSC) to help organisations protect their systems against cyber threats.

Scope exclusions

We did not, as part of this audit, examine the effectiveness of activities conducted by the Queensland Government Chief Information Office (QGCIO). Only one of the three entities in this audit uses the services of the QGCIO.

Further details about the scope and approach are in Appendix B.

Technical language

Cyber security is a complex, technical field, and the language about it reflects this. It is necessary to use some of this language to be precise, but we have explained and simplified it in this report and provided definitions when necessary. When a term is very complex, we have included more detail in the glossary.

Reference to comments

In accordance with s. 64 of the Auditor-General Act 2009, we provided a copy of this report to relevant entities. In reaching our conclusions, we considered their views and represented them to the extent we deemed relevant and warranted.

Protecting important information assets with secure systems is critical to Queensland’s economic and security interests. The Global Risks Reports produced by the World Economic Forum in 2018 and 2019 found that ‘data fraud or threat’ and ‘cyber attacks’ are in the top five most likely global risks in terms of likelihood (along with environmental risks).

A Microsoft-commissioned study by Frost and Sullivan (a research and consulting firm) estimated the potential direct economic loss of cyber security incidents on Australian business as $29 billion per year. When factoring in other indirect costs—such as damage to business reputation and loss of customer base—the actual loss is even higher.

Media reports show an alarming trend of growing cyber security attacks and corporate espionage by foreign state-sponsored hackers and criminals targeting Australian Government entities. These are organised, targeted, deceptive cyber attacks intended to compromise Australia’s economic interest, and national security.

The 2017–18 Cyber Security Survey, conducted by BDO Australia and AusCERT, stated that organisations seeking to enhance their cyber security capabilities will need to get a better understanding of the cyber threats related to them and their industry. The survey report identified the following threat actors (those conducting malicious activities against entities):

• hacktivists—who target computer networks to advance their political or social causes
• criminals—including individuals and sophisticated criminal groups who steal personal information and extort victims for financial gain
• insiders—who typically steal their organisations’ information for personal, financial, or ideological reasons
• nation-states—who target systems to steal sensitive state secrets for economic and political advantage.

Better practice frameworks

We used two better practice frameworks to assess the three in-scope entities for this audit—the Queensland Government's Information security policy (IS18:2018) (the information security policy) and the Australian Cyber Security Centre's (ACSC) ‘Essential Eight’ mitigation strategies to help organisations protect their systems against cyber threats.

We acknowledge that it is not mandatory for all entities to apply these frameworks, but these frameworks provide good guidance to all entities on how to effectively manage cyber security risks.    

Information security policy (IS18:2018)

The information security policy is aligned with other better practice frameworks for managing cyber security risks—the International Standard for Information Security Management Systems (ISO 27001), the ACSC’s Essential Eight strategies, and other supporting frameworks developed by the Queensland Government Chief Information Office.

The information security policy helps entities apply a consistent, risk-based approach to information security in order to safeguard the confidentiality, integrity, and availability of the data and information they maintain.

The policy applies to core Queensland Government departments (as defined by the Public Service Act 2008). The Queensland Government Chief Information Office states it has no mandate to require local government bodies to comply with the information security policy. But it strongly encourages entities (including Queensland government owned corporations, universities, and local governments) to do so, to demonstrate better practice.

Appendix C shows the policy requirements of the information security policy.

Mitigation strategies for cyber security risks

The ACSC published the ‘Essential Eight’ mitigation strategies in 2017 to help organisations protect their systems against cyber threats. On 1 October 2018, in policy requirement three of the information security policy, the Queensland Government Chief Information Office made the Essential Eight mitigation strategies a minimum security requirement. For this audit, we focused on what the ACSC calls the ‘Top 4’ strategies, because it has stated that, if organisations effectively implemented these, they would mitigate at least 85 per cent of cyber intrusions.

The Top 4 mitigation strategies include:

• application whitelisting—controls to block all non-approved or malicious applications from being executed in an information and communication technology (ICT) environment
• patching applications—controls to address known vulnerabilities in the security of applications that can be exploited by threat actors executing malicious code
• restricting administrative privileges—controls to minimise the risk of threat actors exploiting privileged system access (which is held by users who can access sensitive data and create and configure within the system)  
• patching operating systems—controls to address known vulnerabilities in the security of operating systems that can be exploited by threat actors executing malicious code.

Identifying and assessing cyber security risks

Frameworks for managing cyber risks

Two of the three entities we audited had established governance arrangements for managing cyber security. Their actions demonstrated management's commitment to an effective information security culture in their business. The third entity was starting to place more emphasis on managing cyber security risks but had not yet established an effective framework for doing this.  

We found the following elements are essential for having an effective cyber security framework:

• defining a high-level approach for managing information security
• having an information security policy that defines an entity's objectives for managing information security
• incorporating information security within an entity's corporate governance
• implementing mandatory information security training for all staff
• establishing an information security management team
• requiring periodic reporting from the entity's chief information officer on the current security threat level, identified vulnerabilities, and progress on actions to mitigate cyber security risks
• disciplining users who commit breaches in information security  
• defining the entity’s appetite (the risk an organisation is willing to take in order to meet its objectives) for information security risk at the enterprise and operational level
• allocating specific responsibility for coordinating an entity's risk assessment process for cyber security across all organisational units.

Managing key information assets

The Queensland Government Information Security Office updated its Queensland Government Information Security Classification Framework (QGISCF) in 2018. The QGISCF recommends that entities classify their information assets according to business impact and implement appropriate controls according to the classification. (This is mandatory for core Queensland Government departments.)

None of the three entities had effectively implemented a process for applying a security classification to information assets, but all three had plans to address this.

They had not yet conducted a comprehensive assessment to ensure they had identified all their information assets that were at risk. Nor had they considered what controls they had or what was necessary to protect those assets.

We also found the three entities did not have a full record of the ICT assets they allocate to their employees. Their processes for managing employee separations (for example, resignations, retirements, and dismissals) were not robust enough to ensure the entities knew all employees returned their ICT assets.

For two of the entities, we found almost 750 ICT assets (according to their records) were assigned to employees who no longer work for them. Either the entities’ asset records are out of date, or there is a risk that these assets could be used to access the entities’ sensitive information.

Identifying and assessing cyber security risks

One of the three entities periodically assesses its exposure to cyber security risks at an enterprise level and for business-critical applications. One of the entities has started to do this, but the other did not have a risk assessment process to identify and assess cyber security risks.

While the third entity registered some general cyber security risks in its risk registers, it described them at a corporate level only. This means the entity's risk treatments may not be enough to address risks to specific information assets.

Mitigating cyber security risks

Application whitelisting

None of the three entities had a strategy for implementing application whitelisting, but one has started to implement it in its server and desktop environment. We observed two challenges entities have in implementing application whitelisting:

• One of the entities was concerned about making sure it provided its users with a collaborative working environment, while at the same time protecting sensitive information. Entities in this position should at least consider implementing application whitelisting on devices used to access sensitive information.
• Implementing application whitelisting is complex because of the multiple layers of technology to which it needs to be applied.
  • One of the entities implemented application whitelisting on its Windows 10 desktops and newer servers. It didn’t implement it on its servers using older technology (which accounted for 93 per cent of servers hosting applications) or its desktops on older versions of the Windows operating system (which accounted for 33 per cent of its desktop computers).
  • It also allowed Windows 10 users to run scripts (sequences of instructions interpreted within a program) based on their access privileges, which means privileged users could run scripts from an untrusted source. A potential attacker could exploit this weakness if they could compromise a privileged user account.

Patching operating systems and applications

One of the three entities demonstrated effective controls for patch management, including:

• having a strategy for patch management
• having effective processes for implementing patches
• effectively prioritising the implementation of patches assessed as extreme risk, and adequate processes for implementing patches assessed as below extreme risk
• replacing/updating legacy systems (older systems for which there is no longer any support from the supplier/vendor) to vendor-supported versions
• mitigating vulnerability risks through its risk and governance processes when patches are not available.

One of the other entities had developed patch management procedures, which now need to be implemented throughout its organisation, while the other entity's approach for patching systems was ad hoc and not defined in a documented process.

Restricting administrative privileges

We found all three entities had implemented effective controls to minimise the number of people with database administrative privileges. But only one of the three entities had implemented effective controls for managing privileged user access for the operating systems. It had processes for assigning, reviewing, and making privileged users re-apply for access after 12 months.

For the other two entities:

• One had designed and implemented a process for administering and managing privileged use access; however, some business units that operate their ICT environments independently did not apply a robust process for managing administrator privileges.
• One had not documented its process for administering and periodically reviewing privileged user access. We found evidence that a privileged user no longer required that access for their current role.

None of the three entities had fully implemented controls to ensure administration tasks could only be performed through a secure connection. This creates a risk that if an attacker gained access to their networks and compromised a privileged user account (administrator account), they wouldn’t need any further authentication beyond the initial compromised password.

Privileged user accounts should not be used for business-as-usual activities such as reading email and web browsing. This is to reduce the risk of a privileged account being used to download malicious software or being subject to a phishing attack. (‘Phishing’ refers to fraudulent scamming attempts to obtain sensitive information from users.) 

In terms of implementing controls to prevent privileged users from reading emails, opening attachments, browsing the web, or obtaining files from internet services like instant messaging and social media:

• One entity had implemented effective controls.
• One had not implemented controls to prevent users from downloading malicious content.
• One had implemented some controls around email, but still provided privileged users with unrestricted access to the internet (which includes webmail).

In terms of logging and monitoring privileged user accounts:

• One entity had implemented effective controls to log and monitor privileged user activity.
• One kept logs of privileged user account activities but did not monitor or receive alerts of privileged user account activities.
• One had implemented limited logs of user activities in general, but this was not targeted to privileged users. The entity did not monitor the logs or receive alerts on anomalies.

Managing security risks in the supply chain

All three entities need to improve their practices for managing security risks with their suppliers in their supply chain. For example:

• One entity did not define the information security-related roles and responsibilities within its general procurement process for managing information security risks in its supply chain.
• One entity did not regularly review and monitor third-party ICT supplier services to ensure they maintain appropriate security levels. It did not have a risk assessment process to determine the suitability of potential external service providers from an information security perspective.
• One entity used standard contract clauses in its contracts with third-party providers, which do not include specific provisions for information security with which the vendor must comply. There was no process for monitoring, reviewing, or auditing the vendor's compliance with information security requirements.

Cyber security awareness training

Two of the three in-scope entities provided cyber security awareness training to all staff, and one of these entities provided more targeted training to users who have access to sensitive data.

We found the third entity did not provide any cyber security awareness program. This entity is therefore more susceptible to the type of attacks that take advantage of people being a weak link in the chain of defence.

Security testing

For each of the three entities, we nominated a narrow set of targets for our security consultants to test, based on our understanding of the entities’ key information assets.

In all three instances, our security consultants were successful in compromising at least one target we set for each entity. We have advised each of the in-scope entities of the risks we identified (specific to each entity) through our testing. We acknowledge their efforts since our audit and their ongoing plans to mitigate the risk of cyber security attacks against their sensitive information. 

Our security consultants found the following issues can make it easier to compromise a target, and we provide these as learnings for all entities:

• physical security—challenging someone who tries to access an office facility without authorisation is important. It prevents an attacker from obtaining direct access to the entity's internal assets and increasing their ability to attack the entity's sensitive data
• password practices—easily guessable passwords make it simpler to compromise user accounts and use these accounts to gain control over an entities' networks. Common passwords such as ‘welcome’, ‘password’, and ‘newuser’ make it easier for an attacker to gain access to an entity’s systems
• known password breaches—if users use their corporate email address on online services and have the same password as they do on their corporate network, an attacker could use breached user accounts and passwords (which are publicly available on several sites) to access an entity’s network
• multi-factor authentication—should be used to prevent users from remotely logging into an entity’s internal network without requiring two-factor authentication (for example, a username and password, plus a code sent to a mobile phone). This should also be used to ensure staff and administrators can only access sensitive internal servers (from within their networks) with multi-factor authentication
• administrative accounts—when users with administrative privileges use the accounts for business-as-usual activities (such as accessing email), attackers find it easier to gain control of an entities' systems once they compromise administrator accounts
• network segmentation—a lack of network segmentation allows an attacker to move laterally within an entity’s networks once they access the internal networks
• outdated systems—entities using systems that are running outdated applications and operating systems that have not been supported by vendors in several years, have an increased risk exposure, because security vulnerabilities are likely to exist and unlikely to be fixed by vendors
• descriptive subdomains—may provide attackers with an insight into an entity’s ICT environment. This could indicate what online services an entity uses or identify non-production environments (for example, through a subdomain name like ‘development.entityname.qld.gov.au’) that may not be as strongly secured as production environments
• insecure encryption channels—when an entity uses online application hosts (a website that allows users to use a software application over the web, for example, a mapping service) without encryption, an attacker could use this to manipulate communication between users and online services.

The three entities we audited are not managing their cyber security risks as effectively as they could. One of the entities demonstrated a higher level of maturity in cyber risk management across its governance and technical mitigating strategies than the others. But this was not enough to prevent our security consultants from compromising its ICT environment. The fact that our consultants successfully compromised all three entities' ICT environments and could access their sensitive or non-public data demonstrates there were gaps in their mitigation strategies.

Two of the three entities had appropriate frameworks for managing cyber risks. While they had some elements of effective cyber security processes in place, our testing demonstrated vulnerabilities that need to be addressed. Addressing these vulnerabilities is a balancing act between risk appetite and cost.

None of the three entities could demonstrate an understanding of the extent to which its information assets were exposed to cyber security risks. All three entities need to conduct a comprehensive assessment of their information assets to determine which assets are at risk and require further controls to protect. Without this, it is difficult to know whether an entity has implemented the right level of controls to protect its assets. We recognise that entities must make decisions regarding the extent of controls they will invest in, and that they will never be fully effective in mitigating all risks in an ever-evolving threat landscape.

None of the three entities has effectively implemented the Top 4 mitigation strategies for cyber security risks. This demonstrates that some other entities may also find it challenging to implement this better practice guidance.

As entities use more cloud-based services that provide remote access into their systems, they need to be vigilant in assessing how vulnerabilities in their service providers could expose them to cyber risks.

They also need to make sure their users are aware of their responsibilities in managing cyber risks. In particular, we found poor password practices unnecessarily exposed the three entities to attack. Third-party providers and internal staff could be the weak links in an entity’s line of defence.

We provided each of the three in-scope entities with detailed recommendations relating to the issues we identified relevant to them.

For the benefit of all entities, we provide the following recommendations, drawn from the learnings of this audit.

We recognise that implementing effective controls for cyber security should be performed on a cost-benefit basis. Therefore, we recommend all entities firstly assess themselves against recommendations 1–3, which will help them ensure they have a framework for managing cyber security risks, know what information assets they have, and know to what extent those information assets are exposed to cyber security risks. Then, based on the results of these activities, entities should consider how relevant recommendations 4 to 17 are for their risk appetite and exposure.

All entities

We recommend that all entities self-assess against the findings of this report, and where relevant:

Cyber security framework

1. develop a framework for managing cyber security risks consistent with the Information security policy (IS18:2018) (Chapter 2)

They should also have information security standards to ensure the framework is consistently applied throughout the entity at an operational level.

Queensland Audit Office (QAO) insight statement 1 in Chapter 2 provides more guidance on this.

Information classification

2. develop and implement policies and procedures to identify and classify information assets, so they can effectively manage all their information assets that are at risk. This should include policies and procedures for:

• identifying and maintaining an inventory of information assets
• classifying information assets as per the 2018 Queensland Government Information Security Classification Framework (Chapter 2)

Identifying and assessing cyber security risks

3. develop and implement a methodology for identifying and assessing cyber security risks to their information assets. This should include:

• developing a risk assessment process for cyber security that integrates with their enterprise risk management framework
• developing risk appetite statements for cyber security
• identifying and assessing cyber security risks to their key information assets (Chapter 2)

QAO insight statement 3 in Chapter 2 provides more guidance on this.

Information asset management

4. review how they manage their ICT assets by:

• reviewing their list of ICT assets and checking if they are assigned to employees who no longer work there and, if necessary, recovering any ICT assets that have not been returned
• reviewing their employee separation process to ensure it includes updating the ICT asset register whenever an employee’s employment ends (Chapter 2)

QAO insight statement 2 in Chapter 2 provides more guidance on this.

5. assess the adequacy of their physical security to protect their ICT assets from unauthorised access (Chapter 4)

Cyber security risk mitigation strategies

6. design and implement an application whitelisting strategy (Chapter 3)

QAO insight statement 4 in Chapter 3 provides more guidance on this.

7. design and implement a patch management strategy to cover the patching of vulnerabilities in operating systems, applications, drivers, and hardware devices (Chapter 3)

QAO insight statement 5 in Chapter 3 provides more guidance on this.

8. ensure they effectively minimise and restrict administrative privileges (Chapter 3)

QAO insight statement 6 in Chapter 3 provides more guidance on this.

9. implement risk management practices for their use of third parties to deliver information technology services (Chapter 3)

QAO insight statement 7 in Chapter 3 provides more guidance on this.

10. undertake a risk assessment to determine the most effective password policy and implement it as a priority (Chapter 4)

Controls may include:

• blacklisting commonly breached passwords, dictionary words, and words about the context of the work environment (for example, entity name, services, and units)
• preventing the use of repetitive and sequential characters.

Better practice guidance that may help entities includes:

• National Institute of Standards and Technology (NIST) Special Publication 800-63B Digital Identity Guidelines
• Australian Cyber Security Centre Information Security Manual
• Queensland Government Enterprise Architecture Guideline: Reducing password frustration for Queensland public servants

11. implement multi-factor authentication as a minimum on external services that allow login with their domain accounts, and for sensitive internal systems (Chapter 4)

12. review all subdomains and consider whether they provide an indication of the entity’s underlying technology or services, and modify existing subdomains to obscure exposing information (Chapter 4)

13. implement encryption on online services that communicate via an unencrypted channel (Chapter 4)

14. segregate workstations located in publicly accessible areas from their corporate network (Chapter 4)

15. develop cyber security training and deliver it to all staff, with more targeted training to users who have access to sensitive data (Chapter 3)

QAO insight statement 8 in Chapter 3 provides more guidance on this.

16. ensure security and awareness training includes:

• discouraging the use of corporate email addresses on external services
• education on the risks of posting information on social media that provides information on an entities’ technology services
• education on phishing attacks
• education on the risk of physically ‘tailgating’ people into public sector buildings and offices (Chapter 4)

Monitoring and logging

17. introduce and configure end user device logging.

This should include configuring security logs and rules on end user devices (for example, computer desktops and laptops) for detecting malicious and anomalous behaviour and events. (Chapter 4)

This chapter provides the background to the audit and the context needed to understand the audit findings and conclusions.

Information asset security classifications

It is important that entities identify what information assets they own that may be a target of attackers (which may be personal information or information the entities create or obtain in running their operations). When entities do this, they can better target their risk mitigation strategies to their high-risk information assets.

In September 2018, the Queensland Government Chief Information Office published a new version of its information security classification framework. This resulted in changes to the business impact levels for confidentiality to align with the Australian Government approach for classifying information.

The framework explains that, to classify their information assets, entities need to:

• determine the business impact levels of the loss, compromise, and misuse of their information in terms of the impact on confidentiality, integrity, and availability
• analyse their information and information assets against the business impact levels they have created and assign confidentiality, integrity, and availability values
• determine and apply appropriate controls to safeguard the information and information assets in a consistent manner
• regularly assess whether the controls assigned for confidentiality, integrity, and availability values are adequate to keep the entity within its risk tolerance level (the risk it’s willing to take in order to meet its objectives).

The business impact levels (designed for state government departments) for confidentiality are:

• OFFICIAL—low or negligible confidentiality impact. This classification represents most Queensland Government information by volume but the lowest business impact per document if compromised or lost. All routine public sector business, operations, and services are treated as OFFICIAL.
• SENSITIVE—moderate confidentiality impact. This information requires additional care due to its sensitivity or moderate business impact if compromised or lost. Examples include personal information, legal professional privilege, and government or agency business whose compromise could affect (1) the government’s capacity to make decisions or operate, (2) the public’s confidence in government, or (3) the stability of the marketplace.
• PROTECTED—high confidentiality impact. This information requires the most careful safeguards due to its sensitivity or major business impact if compromised or lost. PROTECTED information assets require a substantial degree of control as compromise could cause serious damage to the state, the government, commercial entities, or members of the public.

When an entity has determined high confidentiality information to be at the PROTECTED level, it must consider the PROTECTED controls outlined in the current information security manual published by the Australian Cyber Security Centre (ACSC).

Mitigation strategies for cyber security risks

The ACSC has compiled a list of mitigating strategies entities can use to improve their ability to protect against cyber security risks. It has developed eight mitigation strategies it says should be implemented as a baseline where practicable.

The ‘Essential Eight' strategies are explained in Figure 1A.

For this audit, we focused on what the ACSC calls the ‘Top 4’ strategies, because it states that if organisations effectively implemented these, they would mitigate at least 85 per cent of cyber intrusions. The Top 4 strategies include application whitelisting, patching applications and operating systems, and restricting administrative privileges.

This chapter is about how effectively the three entities we audited identify and assess their exposure to cyber security risks.

Introduction

An entity needs to understand and assess its exposure to cyber security risks. It can then develop appropriate mitigation strategies to reduce the risk of its information assets being compromised through a cyber security incident.

To assess effectiveness, we examined whether the three in-scope entities for this audit:

• design adequate frameworks to identify and manage their cyber security risks
• clearly identify and manage their key information assets
• regularly perform risk assessments of their information security to effectively identify, manage, and understand their cyber security risks.

We have created a series of insight statements to summarise the effective practices we noted during the audit. Our intention is that other entities can use these statements to assess the adequacy of their practices.

Frameworks for managing cyber security risks

Two out of the three in-scope entities had established information security governance arrangements and frameworks for managing cyber security risks. Their actions demonstrate their management’s commitment to an effective information security culture in their business environment.

We found the third entity was starting to place more emphasis on managing cyber security risks. It had not, however, established an overarching information security policy and framework to set the objectives for its information security and its approach for managing these objectives.

The third entity had no specialist to manage information security on a day-to-day basis. It relied on members of its information technology group to be responsible for information security in addition to their operational responsibilities—but their roles in relation to information security were not defined. They were limited by their existing operational commitments, which often took priority over their information security responsibilities. This means the entity was prone to being reactive to security incidents rather than planning for mitigation.

QAO insight statement 1 shows important elements in an effective framework for managing cyber security risks.

Managing key information assets

Information asset classification

Identifying and assessing cyber security risks

Methodology for identifying cyber security risks

Only one of the three entities could demonstrate that it periodically assesses its exposure to cyber security risks at an enterprise level and for business-critical applications. It has adequate risk assessment processes in place to identify information security risks posed to business‑critical information.

This entity had established and documented an enterprise risk assessment process that covers all types of risks (including cyber security risks).

For the other two entities:

• One has cyber risk assessments performed in silos—or not at all in some areas—but to address this it has standardised its cyber security risk management processes across its many organisational units.
• One does not have a risk assessment process to identify and assess cyber security risks. While it has an enterprise risk management framework, the unit responsible for managing information security was not using the framework to develop a process for identifying and assessing cyber security risks.

While the entity without an assessment process registered some general cyber security risks in its risk registers, they were described at a corporate level, and not for specific information assets. This means the entity’s risk treatments may not be enough to address risks to specific information assets.

Risk appetite

Risk appetite is the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives. The absence of a risk appetite statement could lead to inconsistent implementation of risk mitigation processes.

Two of the three entities had risk appetite statements for cyber security. However, one of these entities had two different risk appetite statements for different organisational units. Because there is no distinction in the ICT services provided to these units, this could result in inconsistent direction on cyber security risk management.

Threat intelligence

Threat intelligence services can provide entities with valuable information on potential vulnerabilities that could affect their security posture (their ability to defend from and react to cyber attacks). Entities can use this to identify cyber security risks.

One of the entities has implemented a formal process to actively receive, collate, and assess intelligence on threats and vulnerabilities in order to respond to emerging cyber security risks. It uses a variety of sources to gain threat intelligence data, including CITEC’s threat intelligence and monitoring advisory service, AusCERT, and the Queensland Government Chief Information Office’s vulnerability scanning service.

One entity conducts analytics of the deep and dark webs (where there is content not available on usual internet sites) to identify breached and exposed user credentials and passwords to help in identifying cyber risks. The other entity is subscribed to various services that alert it to current threats and vulnerabilities, but it has no formal process for analysing these alerts against its own risk criteria or taking appropriate action.

Security testing

Entities often conduct security testing—for example, information systems audits and penetration tests (simulated cyber attacks to evaluate the security of a system)—which is an effective means for helping to identify risks it may not have found through a desktop analysis. But when this happens, entities need to incorporate these results into their risk assessment processes so the risks can be monitored and tracked.

One of the entities recently engaged external experts to perform various cyber security reviews. They identified and assessed information security risks based on threats, vulnerabilities, and likelihood and impact of cyber security incidents.

However, we found the entity did not incorporate the risks, implications, and expected controls identified through these assessments into its cyber security risk register. Consequently, it did not implement adequate processes to track and manage the identified threats and risks. 

We discuss the types of risks that entities can identify through threat intelligence and security testing in Chapter 4.

QAO insight statement 3 shows some of the important practices we observed for identifying cyber security risks.

This chapter is about how effectively the three entities we audited implement cyber security risk mitigation strategies.

Introduction

To assess whether the three in-scope entities are effectively mitigating their cyber security risks, we:

• tested whether they have implemented the ‘Top 4’ of the 'Essential Eight' mitigation strategies published by the Australian Cyber Security Centre (ACSC) to help organisations protect their systems against cyber threats. The Top 4 strategies include application whitelisting, patching applications and operating systems, and restricting administrative privileges
• assessed whether they maintained formal risk management practices in their supply chains (for example, when they engage third parties to deliver information communication and technology (ICT) services). ICT managed service providers are a known target for attackers, because they require remote access to their customers' systems to deliver their services
• assessed whether they have implemented cyber security awareness programs to make general staff—and staff with privileged access (users who have administrative access to systems)—aware of their responsibilities for managing cyber security risks. The BDO Australia 2018–19 Cyber Security Survey states:

  Our trend data from survey results since 2016 outlines a consistent rise in phishing incidents through to 2018. In fact, it remains the most common incident experienced. Adversaries continue to target the human psyche, our inquisitiveness and general position of trust. Humans are continuing to prove to be a weak link in the layers of defence.

Application whitelisting

Figure 3A shows our assessment of the three in-scope entities' implementation of whitelisting strategies.

None of the three entities had a strategy for implementing application whitelisting, but one of the entities has started to implement application whitelisting in its server and desktop environment. All three entities had some compensating controls in place, but we found these were limited in their effectiveness in fully mitigating the risk that a whitelisting strategy is meant to address.

We observed two challenges the audited entities face in implementing application whitelisting:

• Entities that are tasked with collaborating and experimenting in their ICT environment find it challenging to implement application whitelisting. This is because, while application whitelisting makes an entity's systems more secure, it also limits what users can run on the network

  One of the three entities had not implemented application whitelisting, because it was concerned about making sure it provided its users with a collaborative working environment, while at the same time protecting sensitive information. Entities in this position should still document a whitelisting strategy to show how they plan to address the risk of malicious code being executed in their environment. This could include implementing application whitelisting on devices used by users who have access to sensitive information.

• Implementing application whitelisting is complex, because entities need to account for all the different layers of technology in their networks (such as desktops and servers, and in some cases, different versions of desktops and servers). Otherwise, they can be left exposed on parts of their network that are not protected. One of the entities implemented an application whitelisting solution within its Windows 10 desktops and newer servers, but we found:
  • 93 per cent of its servers hosting applications did not have a whitelisting solution because most of the entity's application hosting servers use old versions of servers or servers reaching end of life. We recognise the entity does not want to implement an application whitelisting solution on servers it plans to replace soon, but in the interim, there is a risk that unauthorised/malicious executables could be run and installed on these servers.
  • 33 per cent of the desktop/laptop computers did not have a whitelisting solution, because they used an older version of the Windows operating system. The entity has a plan to upgrade (by October 2019) all those devices to the most current Windows operating system version (Windows 10), which is the operating system for which the entity has implemented application whitelisting.
  • The entity allowed Windows 10 desktops to run scripts based on their user access privileges, which means privileged users can run scripts from untrusted sources. The entity relies on the user signing an undertaking to use their privileges for the approved purposes. However, this is not an effective compensating control, because a potential attacker could exploit this weakness if they successfully compromised a privileged user account.

QAO insight statement 4 describes how entities can implement a whitelisting strategy, based on guidance material from the Australian Signals Directorate and our observations in this audit.

Patching operating systems and applications

Figure 3B shows our assessment of the three in-scope entities' implementation of patch management strategies.

One of the audited entities demonstrated effective controls for patch management. We observed that this entity:

• has a strategy for patch management. It provides its security governance group with periodic reports on its patching activities
• has mature processes for implementing patches. It uses trusted sources to ensure the integrity and availability of patches required for its environment
• effectively implemented a patch management process to ensure it gave priority to implementing patches assessed as extreme risk and had adequate processes for implementing patches assessed as below extreme risk. Its policy meets the Australian Signals Directorate’s recommendation for patching extreme risk vulnerabilities within 48 hours (it aims for 24 hours) and for patching vulnerabilities assessed as below risk as soon as possible
• updates or replaces any operating systems, applications, and hardware devices that are no longer supported by their vendors to vendor-supported versions or alternative vendor‑supported versions. It has a procedure for maintaining vendor support for all ICT assets
• implements other mitigating approaches when patches are not available to address security vulnerabilities (for example, when an extreme risk event like the ‘wannacry’ virus occurs, and patches are not readily available or are difficult to deploy with a high degree of success). The entity escalates these issues to its security governance committee, where such non-compliances are risk assessed, addressed, and tracked.

Case study 1 shows how this entity assesses its risk exposure in relation to security vulnerabilities that can be addressed by patches released by software vendors.

The other two entities did not have mature processes for patch management. We observed:

• One entity has an established process for patch management, applies these processes to workstations, and sources the patches appropriately. But it applies patches on servers on an ad hoc basis. It has appropriate policy settings in place for mitigating extreme risk security vulnerabilities, but it needs a more robust risk assessment process to enable this. It implements other mitigating approaches when patches are not available to address known security vulnerabilities.
• One entity does not have a strategy or operating procedure for patch management. Its approach for patching systems is ad hoc and mostly left up to the user. It does not have a specific timeframe for implementing patches, regardless of the risk severity the vendor patches are designed to address.

It still uses many unsupported applications and operating systems and it does not have a process to manage those legacy systems that it still needs. When patches are not available for known security vulnerabilities, it relies on staff being prudent and knowledgeable in identifying and reporting these scenarios to management to determine mitigation strategies. It does not have a procedure for undertaking risk assessments of unsupported applications and operating systems. As a result, it cannot identify the level of cyber security risk and develop appropriate resolution, prevention, containment, and detection strategies.

QAO insight statement 5 describes how to effectively implement a patching strategy, based on guidance material from the Australian Signals Directorate and our observations in this audit.

Restricting administrative privileges

The Australian Signals Directorate guidance on restricting administrative privileges states:

Users with administrative privileges for operating systems and applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information. Domain administrators have similar abilities for an entire network domain, which usually includes all of the workstations and servers on the network.

Adversaries often use malicious code (also known as malware) to exploit security vulnerabilities in workstations and servers. Restricting administrative privileges makes it more difficult for an adversary’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after reboot, obtain sensitive information or resist removal efforts.

An environment where administrative privileges are restricted is more stable, predictable, and easier to administer and support, as fewer users can make significant changes to their operating environment, either intentionally or unintentionally.

Figure 3C shows our assessment of the three in-scope entities' implementation of strategies to restrict administrative privileges.

Managing privileged accounts and restricting database administration access

One of the three entities we audited had implemented effective controls for managing privileged user access. It had processes for assigning and reviewing privileged user access, and it automatically revokes access after 12 months, after which the user must reapply. It only provides privileged user access to authorised business system administrators or central ICT support staff, under an agreement with the business unit.

For the other two entities:

• One has designed and implemented a documented process for administering and managing privileged user access, However, some business units that operate their ICT environments independently do not apply a robust process for managing administrator privileges. We observed some of the business units provided local administrator access (which is privileged access) to all users.
• The other has documented responsibilities for managing user access, but it has not documented the process for administering, managing, monitoring, and reviewing privileged user access. While the entity restricts and manages privileged user access through role‑based access and through separate accounts for standard and privileged access, these restrictions are not fully effective because
  • there is evidence of privilege-creep. One user still had domain administrator access that we confirmed was no longer required for their role
  • the entity does not periodically monitor or review privileged user access. It does not have a process that describes how often administrative privileges should be reviewed.

We found all three entities implemented effective controls to minimise and restrict database administration privileges.

Having secure communication for remote system administration tasks

None of the three entities we audited had fully implemented controls to ensure administration tasks can only be performed through a secure connection (like a jump box or a virtual private network (an encrypted connection from a device to the network)). This creates a risk that if an attacker gains access to their networks and compromises the password for an administrator account, they could access the account without requiring any further authentication beyond the initial compromised password.

Restricting internet and email access on privileged accounts

Privileged user accounts should be restricted from business-as-usual activities such as reading email and web browsing. This is to reduce the risk of a privileged account being used to download malicious software or being subject to a phishing attack.

Only one of the three entities had implemented controls to prevent privileged user accounts from being used for reading emails, opening attachments, and browsing the web or obtaining files via internet services such as instant messaging or social media. Privileged accounts have no email or internet access.

For the other two entities:

• One does not prevent privileged user accounts from reading emails, opening attachments, browsing the web, or obtaining files via internet services such as instant messaging or social media. It has, however, implemented some compensating controls.
• The other does not provide email for privileged user accounts, but administrators could set up their own email accounts. In addition, privileged accounts have unrestricted access to the internet (which includes webmail).

Logging and monitoring of privileged operations

We observed varied results across the three entities with regards to logging and monitoring of privileged accounts.

One entity had implemented effective controls to log and monitor privileged user activity. It has designed and implemented processes and controls to securely maintain, monitor, and review audit logs for privileged user account activities for all critical ICT systems and applications. It logs all administrator activities and performs various monitoring and alerting activities.

It uses a security event management system (which provides real-time analysis of security alerts generated by network devices and software) to collect and analyse a minimal amount of audit logs, but it has plans to increase the collection of logs from different sources to better detect anomalous events. 

For the other two entities:

• One has implemented logging of privileged user account activities on the operating systems we tested, and it keeps these logs for a moderate period. However, it does not monitor or receive alerts of privileged user account activities.
• The other has no strategy or policy for securely maintaining, monitoring, or reviewing audit logs for privileged user account activities for its critical ICT systems and applications. It has implemented limited logs of activities in general, but they do not include monitoring or alerting and do not target privileged activities. In addition, even these limited logs are overwritten, on average, within 24 hours.

QAO insight statement 6 describes how entities should implement a process to restrict administrative privileges, based on guidance material from the Australian Signals Directorate and our observations in this audit.

Managing security risks in the supply chain

All three entities we audited need to improve their practices for managing security risks in their supply chain. Two of the three entities had not yet established formal processes for managing security risks associated with suppliers who provide ICT services. The other had defined the ICT procurement process and the roles and responsibilities for the general procurement process, but it had not defined the information security-related roles and responsibilities for managing information security risks in its supply chain.

We found an example of good practice at one of the entities in relation to its formal risk management practices for its major enterprise resource planning software solution. It routinely assesses if the supplier is meeting its contractual obligations. This includes conducting regular audits and other forms of checks and balances such as daily monitoring activities, and obtaining auditor reports of the supplier from a third party to confirm they are meeting contractual obligations.

One of the entities was still developing its process for managing third-party risks in the supply chain. Because these administrative process documents were not finalised and operational, we could not be assured that the entity:

• consistently manages and monitors cyber security risks in its supply chain
• manages and monitors security-related service-level key performance indicators against contractual terms and conditions.

We also noted:

• it did not conduct regular review and monitoring of third-party ICT supplier services to ensure they maintain security levels in alignment with its own relevant information/cyber security policies and procedures (or international security best practices)
• it did not have a risk assessment process for its third-party suppliers to determine the suitability of potential external service providers from an information security perspective.

One of the other entities did not include specific information security provisions in its contracts with third-party providers. It relied on standard contract clauses. We reviewed its hosted services agreement and found there were no information security provisions. While there were references to operational practices such as patching, there were no provisions for information security requirements with which the vendor needed to comply. This means there was no process for monitoring, reviewing, or auditing the vendor’s compliance with information security requirements.

We found one of the entities had adequate processes for ICT contracts that are valued at more than $10,000. The processes aim to provide clarity and accountability of security responsibilities throughout the life of the relationship. But the entity did not have this in place for contracts under $10,000.

We found an instance where a business unit procured a small ICT solution without obtaining endorsement from the central ICT area. The system was later found to not meet the entity's security criteria and was incompatible with its infrastructure. An ICT solution, irrespective of dollar value, can introduce risks that need to be identified and managed.

QAO insight statement 7 shows some of the important practices for a third-party risk management process.

Cyber security awareness training

Two of the three in-scope entities operated cyber security awareness programs to enhance staff awareness of their roles and responsibilities for protecting against cyber security risks. Both entities provided cyber security awareness training to all staff, and one of these entities has provided more targeted training to users who have access to sensitive data.

We found the third entity did not provide any cyber security awareness program. This entity is therefore more susceptible to the type of attacks that take advantage of weaknesses in human controls, like phishing attacks.

One of the entities conducts simulated phishing campaigns against randomly selected employees to raise staff awareness and vigilance. It monitors the percentage of staff who fall for the phishing campaigns to determine the effectiveness of its cyber security awareness programs.

QAO insight statement 8 shows key elements in an effective cyber security awareness training program.

This chapter is about how effectively the three entities implement cyber security controls to prevent access to their sensitive data.

Introduction

We commissioned security consultants to perform an open source threat intelligence assessment and a red team security assessment for the three entities within the scope of this audit. We used these assessments to identify vulnerabilities that entities need to address to protect their sensitive data from attacks.

Overview of results from security testing

Red team security assessment

For each of the three entities, we nominated a narrow set of targets for our security consultants to test, based on our understanding of the entities’ key information assets.

In all three instances, our security consultants were successful in compromising at least one target we set for each entity. While the attack path our security consultants used differed across the three entities, based on what they identified as the easiest path to attack, there were some common issues that made their task easier.

Open source threat intelligence assessment

For two of the three entities we audited, our security consultants identified multiple services that exposed information an attacker with no inside knowledge of these two entities could use to build up a catalogue of information. We found that overall availability of sensitive information relating to the other entity was minimal.

In the following sections, we outline the main learnings for all entities from the results of our security testing.

Physical security controls

At one of the three entities we audited, our security consultants gained initial access to the network through poor physical security controls.

Our security consultants were not prompted for identification at any point when accessing facilities. It was possible to walk from the lifts, past the reception desk, and tailgate employees into the entity's offices. Upon accessing the office, our consultants were able to sit down at employee desks and connect a malicious device to the network.

This facilitated direct access to the entity's internal assets and increased the available ways to target the entity.

User account management

Password practices

At all three entities, we found easily guessable passwords made it easier for our consultants to compromise user accounts and use them to gain control of the entities' networks. At one entity, our consultants were able to crack and recover clear text passwords for over 6,000 user accounts. They cracked the majority of these in less than three minutes.

They were also able to extract passwords from configuration files (files that are used to structure the parameters and settings for some computer programs) and system memory. At another entity, our consultants were able to crack and recover clear text passwords for over 800 user accounts. Again, they were able to crack most of these accounts in less than three minutes.  

Our consultants found users could set common account passwords typically found in password breaches (for example, Password1! and welcome1!). They also found instances where passwords contained:

• predictable permutations, given the frequency of change (like changing numbers on the end of a password)
• an application name
• dates
• the entity name or service.

Figure 4A shows the top nine common base passwords used in the accounts cracked in this assessment at two of the entities. The actual password includes the base word and may have additional characters, for example, Welcome01.

Known password breaches

Our consultants found over 500 user accounts, associated with the three entities' email addresses, to have passwords that have been compromised and disclosed in multiple data breaches that are publicly available. These passwords were associated with services such as Adobe, Dropbox, LinkedIn, and MySpace (and other unattributed breaches).

These user account and password leaks do not indicate the entities' accounts were, or could be, breached. However, a persistent attacker could find valid passwords that the entities' users reuse across multiple accounts.

Entities should make their staff aware of the risk they create for their entities when they use the same user account and passwords on multiple online services.

Accounts with administrative privileges

At two out of the three entities, our consultants found that users who had administrative privileges to computers in the entities' environments actively used the accounts for business‑as‑usual purposes. This made it easier for our consultants to compromise these accounts to gain control of the entities' systems.

Multi-factor authentication

For one of the entities, our consultants found users could remotely gain access to the entity's internal network without two-factor authentication. For two of the three entities, our consultants found staff and administrators were allowed access to sensitive internal servers without having to supply multi-factor authentication.

The combination of easily guessable passwords and the lack of two-factor authentication for:

• external-facing services (such as a website that enables a user to log in to an entity’s service) could enable an attacker to gain access to the entity's network through password guessing
• internal services could enable an attacker who can gain access to a valid highly privileged username and password to use those login credentials to gain access to sensitive internal network servers.

Network segmentation

At all three entities, once our consultants could access the internal networks, they could move laterally within their networks to compromise additional systems. There were minimal security controls restricting access between key systems.

During the engagement, our consultants used several user credentials to move throughout the entities' networks to target servers on adjacent network segments and within the same network segments.

If a rogue employee or attacker compromised a single server within these networks, they would be able to use the access or credentials to target other servers.

Outdated systems

At two of the entities, our consultants identified numerous systems were running outdated applications and operating systems (such as Windows XP and Server 2003) that had not been supported by the vendor for several years. This infrastructure has several known critical vulnerabilities that allows unauthenticated users the ability to execute arbitrary code remotely, granting full system access, and the ability to further attack internal services from trusted locations. This malicious code is publicly available and distributed as default packages within commonly used hacking tools.

Microsoft ended support for Windows 2003 on 14 July 2015 and Windows XP on 8 April 2014. Software and operating systems that are out of support will no longer routinely receive new security patches. As a result, security vulnerabilities are likely to be present and unlikely to be fixed by vendors.

Descriptive subdomains

For all three entities, our consultants identified some subdomains that may give attackers insight into their ICT environment. We observed that:

• one entity's naming of its subdomains could provide attackers with insight into the online services it uses. As an example of how this information could be useful to an attacker, when a new vulnerability about a service is published, the attacker will scan the internet for subdomains that use that service
• two of the entities' naming of their subdomains indicated which subdomains are non‑production environments (for example, development.entityname.qld.gov.au), which may not be as strongly secured as production environments, thus offering easier targets to attack.

Insecure encryption channels

All three entities used online application hosts (websites that allow users to use a software application over the web, for example, a mapping service) that do not use encryption. This weakens the online application’s integrity and could allow an attacker to manipulate communication between users and online services.

Security monitoring and response

We found none of the three entities detected our security testing or prevented our consultants from accessing our set targets. In all three cases, we needed to advise the chief information officers that our security consultants had succeeded in accessing the targets.

This indicates that, should a malicious actor gain access to the internal networks of these entities, their monitoring systems may not be alerted. Once the servers were compromised, there were no instances during testing where any endpoint protection was identified to prevent further progression within the entities' networks.