Local government cyber vulnerabilities exposed in pilot program

Risk Matters - Spring 2023

Phase one results of the LGIS cyber pilot program are out and look concerning; phase two, starting in mid-2023, will develop resources to support the entire sector in building capacity and capability to address cyber vulnerabilities.

Rolled-out in 2022, phase one of the pilot supported participating members to better understand their exposure to cybercrime and develop targeted plans to address them. It also provided LGIS with a representative sample to better understand the sector’s cyber risk position.

The pilot program highlighted a number of deficiencies across the cyber control environment with most local governments rating less than one (1) on the Australian Signals Directorate (ASD) Essential 8 maturity scale.

Other sections in this season's Risk Matters

Aquatic Facility Equipotential Bonding

Western Australia is home to 129 public aquatic facilities and thousands more school, hotel/motel and back yard pools. While many know of the risks within these facilities such as lack of patron supervision, inappropriate use of shallow water and issues associated with slips, trips and falls – non-compliance with equipotential bonding (earthing) requirements can present a relatively unknown or hidden risk.

Read More »

Approach for phase one

Conduct cyber security assessment against the Essential 8 requirements for the participating pilot group of LGIS members and submit a detailed report including the findings and maturity ratings of each local government. The ASD Essential 8 guide was introduced as part of the federal government’s cyber security policy, released in October 2021.

The findings of this assessment were consistent with successive Office of the Auditor General (OAG) reports. All four local government reports starting 2019 found that the sector’s cyber security readiness is inadequate. The most recent OAG report ‘Information Systems Audit – Local Government 2021-22 released this year, audited 53 local government entities and found 324 control weaknesses (of which 69% (225) of these weaknesses were unresolved issues from the prior year).

The 2022 JLT Public Sector Risk Report also highlighted cyber security among the top five risks for the sector both nationally and in WA.

The pilot program aimed to work out a baseline for the sector’s cyber control environment. The members selected were based on a range of factors such as size and internal cyber resources, service provider dependency, and regional challenges.

Implementation of controls by pilot participants

Focus areas to improve cyber security; pilot findings

Phase one found five key areas across participants which had poor control implementation. Members are encouraged to review these areas in their own practices to decrease cyber vulnerabilities.

Patch operating systems and patch applications

Implementing patch management security controls is of paramount importance to safeguard all organisations’ data and confidential information from threats like ransomware and malware. This control is considered one of the top priorities within the ASD Essential 8 cyber security strategies. It plays a pivotal role in reducing the member’s vulnerability to potential security breaches.

By ensuring the timely application of security patches to both operating systems and applications, each member may create
a robust defence mechanism against known vulnerabilities. This proactive approach is especially critical for incident response
as it can significantly mitigate the impact of cyber incidents.

In a security breach

In the unfortunate event of a security breach, having up-to-date patches can mean the difference between a minor disruption and a major data breach. Therefore, local governments should place a high priority on consistently patching their operating systems and applications to enhance their incident response capabilities and overall cyber resilience.

Restrict administrator privileges

Implementing strict controls to restrict administrator privileges is an integral security measure for ASD Essential 8. Unlike standard users who have limited control over their device’s system, administrator accounts have full access and the ability to make system-wide changes.

When these controls fail or are inadequately enforced, they create vulnerabilities that can be exploited by both internal
and external threats. The consequences of such control failures can range from the loss of sensitive personal information to significant reputational damage. Therefore, it is imperative for each local government to establish and rigorously maintain effective controls that limit the extent of administrator privileges. This not only enhances overall security but also mitigates the risk of insider and outsider attacks.

The assessment highlights the critical importance of establishing robust security controls within the IT infrastructure. A key
aspect of this process involves determining privileged access management rules and diligently applying these rules while considering the principles of segregation of duties, even for accounts with privileged access.

It is imperative to evaluate privileged accounts within the context of both privileged and unprivileged environments. Notably,
many of these essential controls have not been implemented
in unprivileged operating environments. This underscores the need for comprehensive security measures to be extended to all aspects of an IT structure, ensuring a more holistic and effective security posture.

User application hardening

Application hardening (controls that block web browser access) reduces security risk by eliminating potential attack vectors and condensing the system’s attack surface.

User application hardening, a crucial component of cybersecurity, involves implementing controls that effectively block web browser access. This practice plays a pivotal role in reducing security risks by eliminating potential attack vectors and minimising the system’s attack surface. By meticulously configuring and fortifying user applications, each local government can significantly enhance their resilience against cyber threats.

This approach not only strengthens security but also safeguards critical systems and sensitive data from unauthorised access and potential breaches. The critical aspect is to review and test the implemented rules to ensure their effectiveness and functionality.

Configure Microsoft Office macros

Configuring Microsoft Office macros is another crucial step in bolstering cybersecurity, aligning with the ASD Essential 8 requirement. It acts as a robust defence against the proliferation of unauthorised programs that attempt to construct ‘self- replicating’ code capable of compromising end-user systems. By meticulously configuring Office macros, local governments fortify their defence mechanisms against a prevalent cyber threat.

It is imperative to ensure that only authorised and secure macros can execute within the environment, reducing the risk of malicious code execution. To achieve this, members can implement stringent policies and controls. These may include whitelisting trusted macros, restricting the execution of macros to digitally signed sources, and enforcing strict validation processes. By doing so, they establish a comprehensive barrier against malicious code injection, bolstering the security of their systems and data. This approach aligns with the ASD Essential 8 requirement and strengthens the overall cybersecurity posture.

Based on the assessments, it is clear that among the ASD Essential 8 topics, configuration macro settings demonstrate the lowest level of maturity. This means that when compared to other areas, this aspect is often overlooked and falls behind in terms of implementation across most local governments.

The fact that this control is often overlooked might be because of the rules concerning macro settings are quite detailed, and these detailed rules are not applied in default configuration settings. This emphasises the need to give greater consideration to macro settings, especially when dealing with complex legacy systems that could hinder control implementations. It stresses the importance of collectively assessing security rules for each system and collaborating with all relevant stakeholders throughout the organisation to establish an effective cybersecurity strategy.

Therefore, it is crucial for each member to acknowledge the significance of prioritisation and diligence in implementing these rules. In simpler terms, giving due attention and effort to this control is vital for overall cybersecurity.

Application control

Application control encompasses the formulation and enforcement of policies to curtail unauthorised applications, effectively shrinking the attack surface and mitigating malware risks. Moreover, application control reduces the likelihood of human errors, bolsters incident response capabilities by swiftly containing threats, and offers finely tuned controls tailored to specific security needs. Notably, it ensures compliance with regulatory mandates while serving as a foundational pillar of a robust cybersecurity strategy. In essence, robust application control measures are indispensable for fortifying defences against cyberattacks and upholding the integrity of IT environments. Therefore, it is imperative that members institute controls that distinctly identify, centrally manage, log, and shield application controls on workstations and servers, safeguarding them against unauthorised alterations.

Phase 2 – developing a ‘How to’ guide to improve your cyber controls

Phase two of the pilot which will develop a cyber guide to assist members in implementing the ASD Essential 8 control environment. During the second phase, extensive guidelines will be developed to explain ASD Essential 8 requirements and the implementation steps to achieve compliance with these requirements to the greatest extent possible.

Furthermore, the first part of the project shows that exception management may have been implemented for various ASD Essential 8 domains. These guidelines will also encompass instructions on how to effectively manage these pre-existing exceptions within the IT infrastructure.

To have a chat about your cyber risk practices and how to manage them, please get in touch with your LGIS account manager.

Have a question you'd like answered?

Each month we take your questions to one of our LGIS team members to answer.

If you want to submit a question for next issue, email us at [email protected]

Share on Twitter
Share on LinkedIn

Other sections of this season's Risk Matters

CEO’s Message – Spring 23

The first quarter of 2023/24 has been a busy one for your Scheme; our member services team has been out on the road visiting members, and I’ve enjoyed the opportunity to continue to meet members and discuss the issues that matter to you.

Read more »