back to article SHOCK HORROR: Oz's biggest govt agencies to miss infosec deadline

Australia's largest government agencies will miss a July deadline to implement even basic information security controls. The Australian National Audit Office's (ANAO's) annual report says that the country's biggest government agencies won't deploy Defence-issued controls to implement fast patching and organisation-wide …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "...to implement even basic information security controls"

    While I would be happy to accept the call that three of the ASD top four mitigation controls "basic", application whitelisting is definitely far from basic. It's not commonly used, it is a very complex and incredibly risky control to implement, and a lot of people are rightfully worried about the potential impacts. I am implementing whitelisting on servers and the amount of hoops we need to go through to make sure everyone is happy we're not going to break anything is more than I'm used to :)

    On top of this, its value is still not well known, especially once attackers start becoming aware of it and trying to get around it.

    The other controls are definitely what I would call basic controls, but again "basic" doesn't mean "easy". Patch management and access control are things I have very rarely seen done well anywhere.

    While the ASD top 25 has been around for a while, the ASD top four is newer and the mandate to implement it is only a year old. So expecting these issues to be resolved in a year is rather optimistic in my view (especially when bureaucrats get involved), and none of this news surprises me in the least (and obviously not only me)

    1. Jonbays

      Application control works and no it's not hard to decide what apps you want who to run on what. Many groups are very easy to whitelist like standard desktops domain controllers and web servers and database servers with a few exceptions and the exception shouldn't make the rule. Patching whitelisted apps though gets harder and patch management itself while easy is fraught with conflicting goals and timelines from app managers ops and sec-ops people. Still plenty of good sw to automate the Top 4 and make it achievable at a cost of course.

  2. eldakka
    WTF?

    2 days? Tell them they're dreaming.

    "mandate application and operating system patching

    within two days of an update release"

    2 days?

    How are you expected to do the following in 2 days:

    1) Download patch(es);

    2) Deploy the patches to an RnD environment to see how the patch process runs, whether it can be automated or requires a GUI and clicking on 'next' buttons;

    3) Package/otherwise automate the patch for easy deployment to 100's of servers;

    4) arrange downtime for the dev environment to deploy the patch and any restarts that are required;

    5) install patch, perform any necessary restarts;

    6) Get signoff that the patch hasn't broken anything in dev and can proceed to the next environment;

    7) arrange downtime for the integration environment to apply the patch;

    8) install patch, perform any necessary restarts;

    9) get integration testing team signoff that the patch hasn't broken anything;

    10) arrange downtime in the system/performace testing environment to apply patches;

    11) apply patches in the system/performance testing environment and perform any necessary restarts;

    12) get signoff from testing team that patch doesn't break anything/cause performance issues;

    13) arrange downtime for production, including notifying external agencies that depend on your systems, informing other national governments that you have MOUs with stating 10-day notification of any outages to critical systems that they interface with;

    14) apply patch and perform any restarts that are necessary;

    15) cross fingers and hope no backout is required of the patch thats just been rushed through with limited verification testing.

    16) retrofit patch to other non-critical path environemnts - training, other dev/integration environments that are being used for future releases (can have up to 3 streams running simultaneously, current prod, next release, release after next release...)

    Multiply this by 100's of servers that an O/S patch may have to be applied to, and fight for outage windows and testing resources in environments that are fully booked for testing of the next LEGISLATIVE release that has to BY LAW go in in anywhere from 24 hours to 3 months away who (as usual) is running behind schedule..

    Sounds like they need to be hit with the reality stick.

  3. Michael Hoffmann Silver badge

    Just who is surprised by this?

    Having been "IT security manager" at one such organisation, I can only laugh bitterly:

    <bitter laugh>Ha!</bitter laugh>

    Didn't last long because existence as a fig leaf for auditors wasn't my idea of a dream job.

    Procedure went something like this:

    - develop policy and procedure according to best practise and common sense

    - get buy in from the people who actually have to deal with the stuff (ops)

    - get audit tickbox

    - have CIO overrule it/ignore it

    When this finally happened with something as simple as the password policy (CIO decrees 6(!) character length, no special characters, probably because the fucking moron's password was 123456) I threw in the towel and walked.

    Yet, they were declared standard compliant by the auditors (the usual gaggle of smartly dressed boys and girls from Ernst&KPwC led by a senior partner who mostly was thinking about what vineyard or yacht he was going to add to his collection from the billables).

    1. Jonbays

      Re: Just who is surprised by this?

      You really have worked in Government IT haven't you and for as long as me by the sound of your very healthy cynisim!

This topic is closed for new posts.

Other stories you might like