328 Weaknesses Found By WA Auditor-General In 50 Local Government Systems (zdnet.com) 17
An anonymous reader quotes a report from ZDNet: The Auditor-General of Western Australia on Wednesday tabled a report into the computer systems used at 50 local government entities, revealing 328 control weakness across the group. It was Auditor-General Caroline Spencer's intention to list the entities, but given the nature of her findings, all case studies included in Local Government General Computer Controls [PDF] omit entity, and system, names.
The report states that none of the 11 entities that the Auditor-General performed capability maturity assessments on met minimum targets. For the remaining 39, general computer controls audits were conducted. The audit probed information security, business continuity, management of IT risks, IT operations, change control, and physical security. Of the 328 control weaknesses, 33 rated as significant and 236 as moderate. Like last year, nearly half of all issues were about information security. The capability assessment results, meanwhile, showed that none of the 11 audited entities met the auditor's expectations across the six control categories, with 79% of the audit results below the minimum benchmark. [...] The report provided six recommendations, one for each of the security types audited. These included implementing appropriate frameworks and management structures, identifying IT risks, and patching.
The report states that none of the 11 entities that the Auditor-General performed capability maturity assessments on met minimum targets. For the remaining 39, general computer controls audits were conducted. The audit probed information security, business continuity, management of IT risks, IT operations, change control, and physical security. Of the 328 control weaknesses, 33 rated as significant and 236 as moderate. Like last year, nearly half of all issues were about information security. The capability assessment results, meanwhile, showed that none of the 11 audited entities met the auditor's expectations across the six control categories, with 79% of the audit results below the minimum benchmark. [...] The report provided six recommendations, one for each of the security types audited. These included implementing appropriate frameworks and management structures, identifying IT risks, and patching.
Time to retire all the 3b2 vaxen and PDP11 systems (Score:2)
Jesus Oz, Get with the plan
Re: (Score:2)
I doubt there would be more vulnerabilities in those systems than those that are unboxed and put on the net every day.
Re: (Score:2)
That's the joke
Only 328? (Score:2)
I'm not sure what a "control weakness" is, but if only 328 were found, someone ought to consider expanding the scope a little. When I build a large JS project, I usually see that many vulnerabilities in ONE project - never mind 50 local government entities. Open question to any 'local government' IT employees: Do YOU think your shit is modern, up-to-date, and secure?
Re: (Score:1)
The US Navy went through a software audit several years ago and realized they didn't even know what scores of software was for. By scores, I believe the number came to tens of thousands but I can't put my finger on the source.
Re: (Score:2)
That number sounds a lot more realistic than "328". So let's take something like 10,000, and multiply by "50 local government systems". That "328" sure looks like an understatement from my admittedly uninformed vantage point.
Re: (Score:3)
A "control weakness" means there are controls in the ICS (Internal Control System) that do not do their job. Controls are how an organization makes sure things are done right on the risk-management level. For example, a control could be "Backups are tested with a real restore test once a year" or "The process to detect attacks is reviewed and updated once a year". With defective controls ("weakness" is an euphemism here) things may still be done right, but it is rather unlikely. To make matters worse, with
Process Issues, not just Software Bugs (Score:4, Insightful)
Well, okay... But the same graphic includes the Capability-Maturity Model scale on it's vertical axis. That's as much a process or capability assessment framework, as opposed to being purely specific to software vulnerabilities.
It does go on to say that, "nearly half of the 328 weaknesses found relate to information security", but, again, that's still a little imprecise for us to assess this objectively. Put another way, if any of the weaknesses related to software vulnerabilities and if the report had disclosed, say, a summary of their CVSS version 3.1 [first.org] scores, then we could get a rough ideal of the findings.
I'm certainly not in any way suggesting that this report is anything less than excellent or that it's not valid... but the way the summary is written it strongly suggests that the Audit was vertical in nature, in other words looking at entire business processes of which software may have been a significant part.
Even if the "nearly half" of the 328 weaknesses were entirely valid software vulnerabilities, context is key. If I exploit this vulnerability, does it cause the software to crash (i.e. generating inconvenience for other users) or does it give me the ability to manipulate or extract data beyond the design intent (thereby facilitating data leakage, fraud or similar data corruption issues)?
Were the systems tested externally facing? (i.e. publicly accessible?) Do they enable financial transactions? Do they hold or access Personal Information? Do they store or access classified or confidential information?
Context would be useful here. If the vulnerabilities were in mission-critical payment systems that included personal information and bank account details and were publicly visible, it might be a good idea to be concerned. But if the vulnerabilities are related to the intranet-based menu for the cafeteria such that I can see tomorrow's menu, today,... well, that's not quite the same.
Despite my being a bit underwhelmed with the detail in this reporting, the Australia Auditor-General is right to call this out. Practices such as lack of or slow patching of vulnerabilities is an inexcusable habit in any organization in 2021. If they can't get that right, what else are they getting wrong?
Re: (Score:2)
Implement a filtering web proxy server, say something like BlueCoat, then configure it to:-
1. Operate in ‘deny by default’ mode and allow access only based on allow-lists
2. Make sure that ‘file-sharing sites’ are not activated.
For good measure, it’s also helpful if the page served to internal users in the event that access is blocked by the proxy includes a link along the lines of
Some background (Score:2)
These are control weaknesses, i.e. it means nobody is actually systematically checking things are done right. Things may still be done right, but it is rather unlikely. Hence the whole thing is worse than just "IT security sucks", because it is "IT security very likely sucks, but they do not know it or at least do not know what sucks".
Any of these include election systems? (Score:2)
We are quick to dismiss voter irregularities as odd statistics, but is anyone really looking into election security in podunk backwater counties?
PS i don't think the election was stolen, but after 20 years of bashing diebold's security flaws, maybe its time to consider this a matter that is directly affecting the american public (or maybe not because no one cares since trump is gone)
Re: (Score:1)
Perhaps you missed the text of the story, but WA is Western Australia - not Washington State. In Australia, local government plays little part in elections - each state has its own electoral commission, and there's a national commission (AEC) for federal matters. They are separately funded independent public service organisations that do all government elections, including maintaining voter rolls, manning polling stations and drawing electoral boundaries, and elections is all they do.
Another difference is
AU politicians are the worst (Score:2)
Just watch the TV-Series 'Rake'.
https://www.imdb.com/title/tt1... [imdb.com]