Hacker attack and data breach, information leak and cybersecurity concept.
Hacker attack and data breach, information leak and cybersecurity concept.

Security fail lets crims lurk to steal taxpayers’ data

Exclusive: Critical government agencies including the departments of Defence, Health and Home Affairs are risking their websites being commandeered by criminals as a damning audit has revealed they have failed to adopt their own security protocols.

A whopping 12 out of 14 federal government departments were discovered not blocking domain spoofing emails, leaving them vulnerable to be mimicked by criminals trying to trick people into giving up vital identity details.

This is despite the Federal Government's own cyber security domain guidance issued four years ago.

The 2016 report titled "Malicious Email Mitigation Strategies" issued by the Australian Signals Directorate, a division of Defence and the Australian Cyber Security Centre recommended the government and private sector implement domain authentication to stop messages from would-be impostors from reaching the inbox.

 

 

For the past 12 months, US-headquartered cyber security firm Proofpoint has analysed all 14 federal government departments' domains to see which ones had adopted the cyber protocols.

"Their report from last month concluded: "Only the Department of Finance and the Department of Agriculture, Water and the Environment are fully implemented and proactively blocking domain spoofing emails from their domains … This leaves 12 departments with no proactive protection against cybercriminals impersonating their official domain to send phishing emails."

 

Cyber security firm Proofpoint Australian boss Crispin Kerr.
Cyber security firm Proofpoint Australian boss Crispin Kerr.

 

Proofpoint's Australia and New Zealand vice president Crispin Kerr said yesterday Domain-based Message Authentication, Reporting & Conformance (DMARC) was a critical tool in cyber war.

"We don't like to name and shame those that have not achieved the DMARC reject policy but the recommendations were for everyone and it was an Australian Signals Directorate directive and cyber security directive that government departments should implement the DMARC standard and follow that through," he told News Corp Australia.

 

"It is an opportunity for the Federal Government to take an initiative that will ultimately protect everyday citizens, Australian businesses and the Australian government itself from fraud through their domains so it's within every governments power to execute on a project like this and obviously they should follow the directive."

Mr Kerr said spoofing of an agency domain allowed criminals to then send emails on behalf of unsuspecting employees to others to lure them into sending further information for fraud or steal files. Surprisingly, he said the State Governments, all states, had better cyber protocols than federal counterparts.

As reported last month, the China State-sponsored hackers were making thousands of attempts a day on Australians, notably attempting to steal military secrets related to the Navy submarine and frigate building program and other sensitive projects.

 

A Navy cyber intelligence officer at the Australian Signals Directorate’s Australian Cyber Security Centre. Picture: Supplied
A Navy cyber intelligence officer at the Australian Signals Directorate’s Australian Cyber Security Centre. Picture: Supplied

 

Currently most government departments have programs to identify fraud emails as opposed to identifying and blocking poor domains with Defence conceding delays in cyber defences.

"Defence's primary internet connected environment is protected from malicious activity via a number of means including its managed gateway service," A Defence spokeswoman said yesterday of the apparent audit failure.

"The department is progressing a staged implementation of DMARC that includes ensuring changes to security protocols also address any potential impacts to business. Defence's approach to cybersecurity is risk-based and employs the defence-in-depth methodology. It has systems and processes in place to detect and respond to malicious activity and continually improves upon those in line with the contemporary threat."

The Federal Government last month announced a $1.67 billion investment over 10 years for its Cyber Security Strategy 2020 including upgrading security of critical infrastructure with the possibility of mandated penalties for contractors who fail to meet new regulations.

 

Originally published as Security fail lets crims lurk to steal taxpayers' data

The Australian Cyber Security Centre. Picture: Supplied
The Australian Cyber Security Centre. Picture: Supplied

Dual wins for Cherbourg Council in Change Maker Awards

Premium Content Dual wins for Cherbourg Council in Change Maker Awards

The Cherbourg Aboriginal Shire Council has won two awards at the Change Maker...

Cancer stats reveal harrowing truth for South Burnett

Premium Content Cancer stats reveal harrowing truth for South Burnett

YOU‘RE 15 per cent more likely to die of cancer in the South Burnett. Holly Cormack...

CRIME WRAP: 9 to face court after busy week for Burnett cops

Premium Content CRIME WRAP: 9 to face court after busy week for Burnett cops

From drink driving to stealing, this is everything police from Murgon, Cherbourg...