Australian Information Security Audit Report October 02 2019
Ethical hackers from Queensland’s Audit Office were able to exploit vulnerabilities in the IT systems of three state government entities to access sensitive information during recent cyber security testing.
“The fact that our consultants successfully compromised all three entities’ ICT environments and could access their sensitive or non-public data demonstrates there were gaps in their mitigation strategies,” the report states.
On 1 October 2018, in policy requirement three of the information security policy, the Queensland Government Chief Information Office made the Essential Eight mitigation strategies a minimum security requirement. For this audit, we focused on what the ACSC calls the ‘Top 4’ strategies, because it has stated that, if organisations effectively implemented these, they would mitigate at least 85 per cent of cyber intrusions.
The Top 4 mitigation strategies include:
- application whitelisting
- patching applications
- restricting administrative privileges
- patching operating systems
The audit office said none of the entities had implemented effectively.