NSW Government – a case study in how not to do cyber

It’s a good thing state authorities are exempt from Australia’s recently introduced mandatory breach disclosure regime – good for them at least, not so much for the rest us.

The legislation, which compels organisations to notify customers if their personal information is involved in a ‘serious’ data breach only extends to organisations covered by the Australian Privacy Act, so state and territory authorities fall outside of its reach. 

Last week, the NSW auditor-general, Margaret Crawford, released a review into the State Government’s cyber preparedness and the results were sobering. 

She found “there is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost.” 

This is largely due to the fact that four out of 10 NSW government agencies were found to have a ‘low’ or ‘very low’ capability to detect data breaches – only two in 10 had ‘very high’ capabilities. 

This being the case, maybe it doesn’t really matter that state authorities are exempt from breach disclosure laws because they’d have no idea they were breached in the first place. 

Which, frankly, is an even scarier proposition. 

The report went on to give examples of real-life responses (or lack thereof) to cyber attacks against the State Government. In one case study, an agency took 49 days to respond to an attack, which allowed the attacker to spread laterally into other government agencies. 

In addition to “poor detection and response capabilities”, Crawford also found an absence of “whole-of-government capability to detect and respond effectively to cyber security incidents”.

To put this another way, the NSW Government is a text-book case study in how not to do cyber security. To do it any worse you’d need to send attackers the data yourself.

While the above findings are all devastating themselves, perhaps most alarming of all is that those agencies who were found to have a “high capability of detecting incidents” were given that assessment due to their use of Security Incident and Event Management (SIEM) solutions.

Anyone who has used a SIEM before knows how expensive and ineffective they are. SIEMs generate so many false positives that ‘finding a needle in a haystack’ barely comes close to describing how many alerts an analyst must sift through before detecting an actual breach. 

These log-based intrusion detection systems are manifestly outdated. More often that not, they “cry wolf”, creating an avalanche of false positives which gives way to alert fatigue. This only benefits the attacker because they can slip through defences, hidden in the SIEM’s endless static.    

In a positive end to this story, the NSW Government has acknowledged its failings and ‘will endeavour’ to implement the auditor-general’s recommendations. The creation of a government chief information security officer has been pointed to as an example of how seriously the cyber threat is being taken.

 Hopefully its not too little too late – but then again, we’ll probably never know. 

On 2018-03-10

Privacy Statement | Terms of Use