1

A Hands-on Approach to Auditing Cybersecurity

March 2018

2

• Cybersecurity is the protection of computer systems from theftand damage to their hardware, software or information, as wellas from disruption or misdirection of the services they provide

• Malware is part of the growing Cyber Security threat used tosteal data, grant attackers access to networks, lock or destroyfiles

• It is a serious threat to Australian government and privatenetworks

• Cost of Cyber Crime to the Australian economy: Billions!!

Background

3

• 2016 Malware in the WA State Government

• 2015 Database Security

• 2014 Cloud Computing

• 2013 Information Security Gap Analysis

• 2012 Security of Online Transactions

• Follow up: Cyber Security in Government Agencies

• 2011 Cyber Security in Government Agencies

• 2010 Security of Laptops and Portable Storage Devices

• 2009 IS Audit Annual Report (GCCs, Application Reviews, CMMs)

• Protection of Personal and Sensitive Information

• 2008 Disposal of Government Hard Drives

• 2007 Security of Wireless LANs in Government

• 2005 Protection of Critical Infrastructure Control Systems

• 2004 Computer Anti-Virus Management

Cyber Reports

4

General Computer Controls Audits

5

5

The results of the capability assessment below shows that most agencies are not effectively managing key areas.

Capability Maturity Assessments

6

Cyber findings from GCCs

7

Common findings – the 3 P’s

• unauthorised access

• former staff retaining

access

• no review of highly

privileged application,

database and network

user accounts

• excessive admin accounts

PeoplePatching Passwords

• not installed or out of date anti-

virus software

• 100’s of sensitive documents

shared on internet

• applications and operating

systems without critical patches

• no security policies, out of date

or not approved

• weak passwords for

networks and key systems

eg Password

• no password

• highly privileged generic

accounts shared with

many staff and contractors

8

Gap analysis results Agencies (1-21)

Red = 0-60% Orange= 61% - 85% Green = 86% - 100%

Security Gaps – ISO 270001

9

9

Firewall

IDS/IPS

Defence against

unwanted or

malicious traffic

agency information

Public Users of

agency website

normal web accessInformation servicespay bills

Router

Simple representation of an agency with an Internet web site

Cyber Attacks

10

10

Firewall

IDS/IPS

agency information

normal web accessInformation servicespay bills

Attacker

Router agency information/

resources

USB Key

1. Defence mechanisms failed to

detect/prevent malicious activity

2. Scanning of web server to

gather information for specific

attacks

3.Access to agency network

Information obtained and

used to escalate attack

4. USB by-passed security

mechanisms to access

network

Back door entry

operating systems software runningports openvulnerabilitiesInterception of data

Cyber Attacks

11

DB Security issues

12

The Collector

13

What did we do?

14

Analysing the results

A significant number of alerts of suspicious behaviour were generated. The data analytics system was able to provide some initial sorting and prioritising. We manually assessed the rest.

We looked for any evidence of suspicious or potentially malicious behaviour by analysing traffic patterns and connection protocols. This work was limited due to the sheer volume of data collected, most of which was legitimate traffic.

We provided the details of any alerts or issues we found to agency technical staff. They had the opportunity to investigate and act on the alerts. They were also able to tell us if any alerts were ‘false positives’ alerts.

15

Basic control failures are still common

• Control failures are still common, leaving agencies vulnerable

• As we regularly report in our annual Information Systems Audit Report, agencies often do not ensure that their basic, easy to implement controls are fully effective.

• Agencies need to improve their ability to find vulnerabilities in their software.

• Agencies had deployed their AV incorrectly, limiting its effectiveness while vulnerability scanning tools were also misconfigured.

16

Defence in Depth

Data

The government IT

landscape

IT Landscape

Attacks

Internet

ServiceNet

Agency Perimeter

Network OS

Application

Database

FirewallIDS/IPS

VPN

FirewallIDS/IPS

Threat managemetUser

Awareness

Policy

Access controls

Software updates

Encryption

Controls

Process

People

Technology

ScansViruses and

worms

Botnets Phishing

Buffer overflows

Social engineering

XSS attacks

SQL injection

ProeduresMalware

Hacking

17

Thank you and questions

Peter Bouhlas

Senior Director, Information Systems Audit

Office of the Auditor General for Western Australia

peter.bouhlas@audit.wa.gov.au