The Australian Federal Police are not yet in compliance with the government’s mandated ‘Top 4’ security strategies, an audit has found.
According to the Australian Signals Directorate, which maintains the government's Information Security Manual (ISM), the ‘Top 4’ strategies can prevent at least 85 per cent of the targeted cyber intrusions that it responds to.
The strategies are based on application whitelisting, application patching, server and desktop OS patching, and the restriction of administration privileges based on user duties.
A review by the Australian National Audit Office has found that although the AFP and the Department of Industry, Innovation and Science can be classed as “internally resilient” — they posses a “level of protection from breaches and disclosures of information from internal sources but vulnerabilities remain to attacks from external sources” — they fall outside of the “cyber resilient zone”.
“Cyber resilient” implies an agency has a “high-level of protection from external attacks and internal breaches and disclosures of information”.
In addition to Industry and the AFP, the audit assessed the security of the Department of Agriculture and Water Resources and the government’s money laundering watchdog, the Australian Transaction Reports and Analysis Centre (AUSTRAC).
Both Agriculture and AUSTRAC were in compliance with the ISM's top four strategies.
(The government’s Protective Security Policy Framework as amended in 2013 mandated the implementation of the top four strategies, with a target date of mid-2014 for compliance.)
The ANAO carried out its audit between May and October 2015. In its report, the auditor declined to identify individual issues at agencies “due to the risk of disclosing sensitive information about entity ICT security”.
However, it provided aggregate details of the organisations’ performance.
Two agencies had failed to implement whitelisting as part of the standard operating environment, the report noted.
One agency had failed to prevent a user from running arbitrary executables. One agency failed to restrict “a user’s rights in order to permit them to only execute a specific set of predefined executables as required for them to complete their duties”.
When it came to patching, one agency was failing to apply all critical security patches within two days (two agencies were “actively implementing” the security control, the report stated).
Read more: Our future cyber security industry
The audit also found that one agency was failing an ISM mandate to install the latest version of an application within two days if the if the upgrade addresses a critical security vulnerability (three agencies were actively implementing the control).
The audit’s first recommendation was for entities to “establish processes to monitor patch levels across their enterprise ICT systems”.
“The AFP has implemented a number of programs of work to address this recommendation with a planned implementation date of 1 July 2016,” the AFP's response to the recommendation stated.
The other recommendations of the report were firstly a periodic review by organisations of their security posture: Entities should “conduct periodic assessments on the effectiveness of IT security controls across their enterprise ICT systems”; “decide on the optimal and/or desired ICT security posture”; and “define strategies to achieve and maintain the desired ICT”.
Secondly the report recommended that the organisations capture and store audit logs for privileged user accounts and actively monitor privileged user accounts for unauthorised access.
“The AFP agrees that the report is an accurate assessment of the agency’s compliance state as at July 2015,” the AFP said in its overall response to the audit.
“The AFP supports the recommendations of the report, noting that the audit has identified some areas for improvement. The AFP has established programs of work to implement the recommendations.”
The ASD recently updated a number of its guides to implementing its top four mitigation strategies.
Prime Minister Malcolm Turnbull in April launched the federal government's national cyber security strategy.
The full ANAO report is available online.