Security fail lets crims lurk to steal taxpayers’ data
Exclusive: Critical government agencies including the departments of Defence, Health and Home Affairs are risking their websites being commandeered by criminals as a damning audit has revealed they have failed to adopt their own security protocols.
A whopping 12 out of 14 federal government departments were discovered not blocking domain spoofing emails, leaving them vulnerable to be mimicked by criminals trying to trick people into giving up vital identity details.
This is despite the Federal Government's own cyber security domain guidance issued four years ago.
The 2016 report titled "Malicious Email Mitigation Strategies" issued by the Australian Signals Directorate, a division of Defence and the Australian Cyber Security Centre recommended the government and private sector implement domain authentication to stop messages from would-be impostors from reaching the inbox.
For the past 12 months, US-headquartered cyber security firm Proofpoint has analysed all 14 federal government departments' domains to see which ones had adopted the cyber protocols.
"Their report from last month concluded: "Only the Department of Finance and the Department of Agriculture, Water and the Environment are fully implemented and proactively blocking domain spoofing emails from their domains … This leaves 12 departments with no proactive protection against cybercriminals impersonating their official domain to send phishing emails."
Proofpoint's Australia and New Zealand vice president Crispin Kerr said yesterday Domain-based Message Authentication, Reporting & Conformance (DMARC) was a critical tool in cyber war.
"We don't like to name and shame those that have not achieved the DMARC reject policy but the recommendations were for everyone and it was an Australian Signals Directorate directive and cyber security directive that government departments should implement the DMARC standard and follow that through," he told News Corp Australia.
"It is an opportunity for the Federal Government to take an initiative that will ultimately protect everyday citizens, Australian businesses and the Australian government itself from fraud through their domains so it's within every governments power to execute on a project like this and obviously they should follow the directive."
Mr Kerr said spoofing of an agency domain allowed criminals to then send emails on behalf of unsuspecting employees to others to lure them into sending further information for fraud or steal files. Surprisingly, he said the State Governments, all states, had better cyber protocols than federal counterparts.
As reported last month, the China State-sponsored hackers were making thousands of attempts a day on Australians, notably attempting to steal military secrets related to the Navy submarine and frigate building program and other sensitive projects.
Currently most government departments have programs to identify fraud emails as opposed to identifying and blocking poor domains with Defence conceding delays in cyber defences.
"Defence's primary internet connected environment is protected from malicious activity via a number of means including its managed gateway service," A Defence spokeswoman said yesterday of the apparent audit failure.
"The department is progressing a staged implementation of DMARC that includes ensuring changes to security protocols also address any potential impacts to business. Defence's approach to cybersecurity is risk-based and employs the defence-in-depth methodology. It has systems and processes in place to detect and respond to malicious activity and continually improves upon those in line with the contemporary threat."
The Federal Government last month announced a $1.67 billion investment over 10 years for its Cyber Security Strategy 2020 including upgrading security of critical infrastructure with the possibility of mandated penalties for contractors who fail to meet new regulations.
Originally published as Security fail lets crims lurk to steal taxpayers' data