{"id":1356,"date":"2024-09-22T21:10:20","date_gmt":"2024-09-22T21:10:20","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1356"},"modified":"2024-10-18T10:15:57","modified_gmt":"2024-10-18T10:15:57","slug":"nsw-government-a-case-study-in-how-not-to-do-cyber","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/nsw-government-a-case-study-in-how-not-to-do-cyber\/","title":{"rendered":"NSW Government \u2013 a case study in how not to do cyber"},"content":{"rendered":"
\n
\"See_No_Evil_Hear_No_Evil_Speak_No_Evil\"<\/figure>\n<\/div>\n\n\n

It\u2019s a good thing state authorities are exempt from Australia\u2019s recently introduced mandatory breach disclosure regime \u2013 good for them at least, not so much for the rest us.

The legislation, which compels organisations to notify customers if their personal information is involved in a \u2018serious\u2019 data breach only extends to organisations covered by the Australian Privacy Act<\/a>, so state and territory authorities fall outside of its reach. 

Last week, the NSW auditor-general, Margaret Crawford, released a review<\/a> into the State Government\u2019s cyber preparedness and the results were sobering. 

She found \u201cthere is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost.\u201d 

This is largely due to the fact that four out of 10 NSW government agencies were found to have a \u2018low\u2019 or \u2018very low\u2019 capability to detect data breaches \u2013 only two in 10 had \u2018very high\u2019 capabilities. 

This being the case, maybe it doesn\u2019t really matter that state authorities are exempt from breach disclosure laws because they\u2019d have no idea they were breached in the first place. 

Which, frankly, is an even scarier proposition. 

The report went on to give examples of real-life responses (or lack thereof) to cyber attacks against the State Government. In one case study<\/a>, an agency took 49 days to respond to an attack, which allowed the attacker to spread laterally into other government agencies. 

In addition to \u201cpoor detection and response capabilities\u201d, Crawford also found<\/a> an absence of \u201cwhole-of-government capability to detect and respond effectively to cyber security incidents\u201d.

To put this another way, the NSW Government is a text-book case study in how not to do cyber security. To do it any worse you\u2019d need to send attackers the data yourself.

While the above findings are all devastating themselves, perhaps most alarming of all is that those agencies who were found to have a \u201chigh capability of detecting incidents\u201d were given that assessment due to their use of Security Incident and Event Management (SIEM) solutions.

Anyone who has used a SIEM before knows how expensive and ineffective they are. SIEMs generate so many false positives that \u2018finding a needle in a haystack\u2019 barely comes close to describing how many alerts an analyst must sift through before detecting an actual breach. 

These log-based intrusion detection systems are manifestly outdated. More often that not, they \u201ccry wolf<\/a>\u201d, creating an avalanche of false positives which gives way to alert fatigue. This only benefits the attacker because they can slip through defences, hidden in the SIEM\u2019s endless static.    

In a positive end to this story, the NSW Government has acknowledged its failings and \u2018will endeavour\u2019 to implement the auditor-general\u2019s recommendations. The creation of a government chief information security officer has been pointed to as an example of how seriously the cyber threat is being taken.

 Hopefully its not too little too late \u2013 but then again, we\u2019ll probably never know. <\/p>\n","protected":false},"excerpt":{"rendered":"

It’s a good thing state authorities are exempt from Australia’s recently introduced mandatory breach disclosure regime – good for them at least, not so much for the rest us. The legislation, which compels organisations to notify customers if their personal information is involved in a ‘serious’ data breach only extends to organisations covered by the […]<\/p>\n","protected":false},"author":1,"featured_media":1357,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1356","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1356"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1356\/revisions"}],"predecessor-version":[{"id":4419,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1356\/revisions\/4419"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1357"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}