Cyber security alarm in Canberra

[InfoSec News <isn () c4i org>]

http://australianit.news.com.au/common/storyPage/0,3811,2904111%255E442,00.html

Selina Mitchell
21 September 2001 

INSECURE and vulnerable government websites have been fortified
against cyber attacks after an Auditor-General's security review.

But the security levels were still insufficient in the majority of
cases, acting Auditor-General Ian McPhee reported.

In the midst of the crippling Nimda computer virus attacks, Mr McPhee
said audited federal government agencies had not properly secured
their internet services and had been forced to fix a number of
vulnerabilities during the process of the audit.

The vulnerabilities threatened the confidentiality, availability and
integrity of crucial government information systems and data holdings,
Mr McPhee said.

The report was released on the same day the federal parliamentary
network was among those struck by Nimda, which has affected government
and business websites, and internet traffic worldwide.

Network services, which provide access to the internet for all
parliament house staff and their 250 electorate offices, were expected
to be fully functional again this morning.

Access to the network was disrupted from about 8.30pm on Wednesday.

Ten agencies' internet, email and website services were scrutinised by
the audit office and the Defence Signals Directorate.

Six were found to have significant vulnerabilities, potentially
exploitable by a malicious user over the internet. Security issues
were identified in all sites tested.

The agencies were advised to fix the problems and conduct a thorough
risk assessment and review of security policy.

"For the majority of agency websites in the audit, the current level
of internet security is insufficient, given the threat environment and
vulnerabilities identified within a number of agency sites," Mr McPhee
said.

The increasing reliance on electronic government to deliver programs
and services created additional security risks, Mr McPhee said.

Security levels across the audited agencies varied significantly from
very good to very poor, he concluded.

All agencies audited had prepared an IT security policy but they
varied in quality. Only the larger agencies, particularly those that
managed IT resources in-house, had developed comprehensive security
and disaster recovery plans.

The audited agencies included the Bureau of Statistics, Treasury and
the tax office.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.