Fed agencies fail to pass muster in cyber audit


A newly released cybersecurity review of the Federal Government’s largest agencies reveals that only one has so far applied the Australian Signals Directorate’s (ASD) ‘Essential Eight’ criteria to their financial management and HR systems.

The security gaps were highlighted in the Australian National Audit Office’s (ANAO) ‘Interim Report on Key Financial Controls of Major Entities’, which measured federal agencies’ financial control systems against the Essential Eight baseline criteria.

According to its assessment parameters, the cyber review, part of a wider audit of agencies’ financial systems, sought to confirm the accuracy of reporting and identify cybersecurity risks that may impact the preparation of financial statements.

The Office’s interim review audited the financial and HR systems of 18 agencies, including Defence, Services Australia, Home Affairs, and the Tax Office, with just a single unnamed agency considered to have applied the E8 guidelines in full.

Financial & HR systems under review

The audit analysed agencies’ policy and procedural documentation, together with testing mitigation strategies specific to Financial Management Information Systems (FMIS) and Human Resources Information Management Systems (HRIMS).

Targeted audits have been undertaken by ANAO since 2013. These audits have consistently uncovered shortcomings in agencies’ cyber resilience, particularly around compliance with the ASD’s Essential Eight.

The E8 parameters offer detailed technical guidance to government agencies to help lessen the risk of malware infection, limit the number of cybersecurity incidents, and better enforce resilience, including data recovery and back-up systems.

As with previous audits, the latest assessment revealed that “maturity levels for most entities were significantly below” the requirements of the Government’s protective security policy framework (PSPF), and in particular its Core Requirement 10.

Policy 10 requires entities to achieve a higher level of maturity and manage security risks, at the same time fostering a culture of diligence within the entity and across the government.

Of the 18 entities assessed, only one was rated as achieving a level of sufficient maturity across all E8 criteria, the audit said.

Most notably, the review found agencies had the lowest level of cyber compliance in ‘application hardening’ – a process designed to make it more difficult to reverse engineer and tamper with apps.

Gaps were also identified in macro controls and multi-factor authentication, though these are considered non-mandatory under the Essential Eight criteria.

Challenge of protecting different apps

“Application hardening” was considered a difficult process, the audit noted, as entities’ systems relied on a range of apps and supported different uses.

However, the report acknowledged that most agencies were at least planning to address these gaps by July this year.

Entities, it said, were also implementing plans to reduce the number of applications in their environments, with an aim to protect their attack surface and minimise risk.
Restricting macros vs business needs

Restrictions in the use of macros also varied between agencies. Some agencies reported the control as being difficult to enforce “due to users relying heavily on macros to perform business activities”. Others relied on “additional mitigations” to address concerns.

Macros, supported by software programming instructions, enable users to automate routine tasks or use less time to finish a job.

Most agencies appeared to accept the risk of their word processing macros being compromised and, as a result, accepted a lesser degree of cyber maturity.

While the macros were broadly programmed safely, the risk lay in a macro being “re-written” by a malicious user, including the introduction of harmful code, that would compromise data files or applications stored on a computer.

With respect to identity management, agencies “found the process of organising/distributing multi-factor authentication tokens for all users to be an onerous one”, the report said.

“Entities prioritised multi-factor controls for remote access and privileged users, rather than all users,” the audit said.

Moreover, four agencies had incorrectly self-assessed, revealing an insufficient understanding of their requirements.

“The entities attributed the inaccuracies in their assessments to their interpretation of the scope of the requirement and indicated that they found it challenging to determine whether they had met the intention of the mitigation strategies,” the audit stated.

Minimising cyber risks

Most entities were understood to have “conducted their self-assessment at a system or environment level and did not specifically assess the controls required to minimise cyber risks to their FMIS [Financial Management Information Systems] or HRMIS [Human Resources Management Information Systems] applications,” the audit said.

Earlier, the Australian Cyber Security Centre (ACSC) warned in its report last year that government entities and their core systems remain prime targets for malicious cyber-actors.

These actors use sophisticated tools to obtain information on defence capabilities, cutting-edge research, intellectual property, and the personal information of residents and government staff.

At the time, the ACSC introduced the “Cyber Uplift” initiative and “Sprint Programs” to assess baseline maturity levels of 25 Commonwealth entities. These assessments focused on the implementation of the Essential Eight guidelines.

The ACSC at the time said it had deployed ‘sprint teams’ to identify, support, and strengthen entities’ cybersecurity posture.

The Centre’s report to Parliament said it had last year responded to 427 incidents affecting Commonwealth entities.

Sixty-five per cent of these incidents were self-reported to the ACSC. The remaining 35 per cent were identified through the Centre’s investigations, together with reporting by international partners and third parties, and an analysis of classified and open-source materials.