a hands-on approach to auditing cybersecurity€¢2009 is audit annual report ... defence against...
Post on 24-Jun-2018
214 Views
Preview:
TRANSCRIPT
2
• Cybersecurity is the protection of computer systems from theftand damage to their hardware, software or information, as wellas from disruption or misdirection of the services they provide
• Malware is part of the growing Cyber Security threat used tosteal data, grant attackers access to networks, lock or destroyfiles
• It is a serious threat to Australian government and privatenetworks
• Cost of Cyber Crime to the Australian economy: Billions!!
Background
3
• 2016 Malware in the WA State Government
• 2015 Database Security
• 2014 Cloud Computing
• 2013 Information Security Gap Analysis
• 2012 Security of Online Transactions
• Follow up: Cyber Security in Government Agencies
• 2011 Cyber Security in Government Agencies
• 2010 Security of Laptops and Portable Storage Devices
• 2009 IS Audit Annual Report (GCCs, Application Reviews, CMMs)
• Protection of Personal and Sensitive Information
• 2008 Disposal of Government Hard Drives
• 2007 Security of Wireless LANs in Government
• 2005 Protection of Critical Infrastructure Control Systems
• 2004 Computer Anti-Virus Management
Cyber Reports
5
5
The results of the capability assessment below shows that most agencies are not effectively managing key areas.
Capability Maturity Assessments
7
Common findings – the 3 P’s
• unauthorised access
• former staff retaining
access
• no review of highly
privileged application,
database and network
user accounts
• excessive admin accounts
PeoplePatching Passwords
• not installed or out of date anti-
virus software
• 100’s of sensitive documents
shared on internet
• applications and operating
systems without critical patches
• no security policies, out of date
or not approved
• weak passwords for
networks and key systems
eg Password
• no password
• highly privileged generic
accounts shared with
many staff and contractors
8
Gap analysis results Agencies (1-21)
Red = 0-60% Orange= 61% - 85% Green = 86% - 100%
Security Gaps – ISO 270001
9
9
Firewall
IDS/IPS
Defence against
unwanted or
malicious traffic
agency information
Public Users of
agency website
normal web accessInformation servicespay bills
Router
Simple representation of an agency with an Internet web site
Cyber Attacks
10
10
Firewall
IDS/IPS
agency information
normal web accessInformation servicespay bills
Attacker
Router agency information/
resources
USB Key
1. Defence mechanisms failed to
detect/prevent malicious activity
2. Scanning of web server to
gather information for specific
attacks
3.Access to agency network
Information obtained and
used to escalate attack
4. USB by-passed security
mechanisms to access
network
Back door entry
operating systems software runningports openvulnerabilitiesInterception of data
Cyber Attacks
14
Analysing the results
A significant number of alerts of suspicious behaviour were generated. The data analytics system was able to provide some initial sorting and prioritising. We manually assessed the rest.
We looked for any evidence of suspicious or potentially malicious behaviour by analysing traffic patterns and connection protocols. This work was limited due to the sheer volume of data collected, most of which was legitimate traffic.
We provided the details of any alerts or issues we found to agency technical staff. They had the opportunity to investigate and act on the alerts. They were also able to tell us if any alerts were ‘false positives’ alerts.
15
Basic control failures are still common
• Control failures are still common, leaving agencies vulnerable
• As we regularly report in our annual Information Systems Audit Report, agencies often do not ensure that their basic, easy to implement controls are fully effective.
• Agencies need to improve their ability to find vulnerabilities in their software.
• Agencies had deployed their AV incorrectly, limiting its effectiveness while vulnerability scanning tools were also misconfigured.
16
Defence in Depth
Data
The government IT
landscape
IT Landscape
Attacks
Internet
ServiceNet
Agency Perimeter
Network OS
Application
Database
FirewallIDS/IPS
VPN
FirewallIDS/IPS
Threat managemetUser
Awareness
Policy
Access controls
Software updates
Encryption
Controls
Process
People
Technology
ScansViruses and
worms
Botnets Phishing
Buffer overflows
Social engineering
XSS attacks
SQL injection
ProeduresMalware
Hacking
top related