Several Western Australian government agencies are reviewing their information security postures after an investigation by the state’s Auditor General found serious malware infections in agency systems.
The WA Office of the Auditor General revealed in a report released on 7 December that a number of WA state government agencies had been the target of malware-related communication, and that at least two had malware infections that presented a “serious risk” to the agencies’ networks, systems, and data.
While it comes as no surprise that the agencies had been targeted by malware campaigns, the Malware in the WA State Government report also revealed that each of the six agencies audited experienced attacks that were able to defeat at least one security control or technology system.
Two agencies had signs of persistent malware infections that had bypassed their security controls, according to the report, while one agency had a single infection that was active for most of the 12 day sample period of the audit.
Another agency had in excess of five infections active for approximately two days, with at least one computer re-infected during the assessment period - these active infections placed the agency networks, systems, and data at risk.
“This highlights the need for agencies to employ layered controls with constant monitoring and improvement. The layering of controls is a ‘defence in depth’ approach to cyber security,” the Office of the Auditor General said.
“The audit highlighted a need for the WA public sector to have a coordinated approach to the management of cyber threats,” it said.
According to the Office, the attacks and malware observed during the audit are common, well understood, and use techniques that security tools and agencies should generally be aware of.
However, because of weak or missing security controls, many were still able to enter the network and attempt to infect computers.
They audit’s key findings suggest that WA Government lacks a coordinated approach to cyber threats, including malware.
“At the time of our audit, there was no whole-of-government security policy or framework providing guidance to agencies on how to implement a successful security program,” the Office stated.
The Office of the Auditor General recommended the government agencies assess the risk posed by the malware observed during the audit, improve any controls that were identified as ineffective, and consider additional controls to better secure their networks, systems and data against malware.
It also suggested that the WA public sector, more generally, should continue the rollout and implementation of the Digital Security Policy, consider methods to foster collaboration, information, and resource sharing between agencies, and gather information to properly understand the threat posed by malware.
In response, the WA Department of the Attorney General said it is working to address comments directed specifically to the agency.
However, the Department added that is already “optimising” the use of its existing IT budget to carry out changes to systems and controls on the basis of risk and that, given these constraints, some risks identified in the report may not be fully addressed.
At the same time, the WA Department of Transport said it has already started to address all of the report’s recommendations, while Main Roads Western Australia said it would undertake a risk assessment of malware threats and improve controls.