The Australian Cyber Security Centre helped federal, state and local government agencies avert compromise through a vulnerability in MobileIron mobile device management software last year.
The centre revealed the action it took to prevent widespread compromise in its 2020 cyber security posture report [pdf] to parliament on Thursday.
It was one of 14 “high-priority operational tasking activities” undertaken in response to potential cyber threats through its cyber hygiene improvements programs (CHIPs) last year.
CHIPs provide Commonwealth agencies with “data-driven and actionable information” to help guide and target their cyber security efforts.
ACSC said CHIPs “provide the ACSC with visibility of internet-facing websites across 187 Commonwealth entities”
“CHIPs has visibility of, and is tracking, cyber hygiene indicators across 71,315 active Commonwealth government domains,” it said.
“This represents an increase in visibility of 54,297 active domains since February 2020 – an increase of approximately 320 percent.
The ACSC added four major capabilities to CHIPs in 2020, including email encryption scanning, dominant website scanning and critical security vulnerability scanning.
In the case of Mobiletron, the ACSC was able to “quickly identify internet-exposed and vulnerable… systems across Commonwealth, state and territory, and local governments”.
“The ACSC notified all government entities operating vulnerable devices of the device details, the critical vulnerability and the urgent need to patch or otherwise mitigate the risk,” it said.
“This timely and actionable information from the ACSC allowed some government entities to pre-empt adversary exploitation of their MobileIron devices, in one case by hours.”
Scans were also conducted on IP addresses to identify vulnerable F5 devices, compromised Microsoft Exchange servers and Microsoft Windows Domain Controller Zerologon vulnerabilities.
ACSC noted the speed in the exploitation of publicly reported vulnerabilities had increased during 2020.
“Both Citrix and MobileIron vulnerabilities had some of the fastest turnarounds for exploitation attempts by malicious actors in 2020,” it said.
“Reporting showed adversaries attempting to exploit these vulnerabilities within days of proof-of-concept codes being publicly released.”
The ACSC also more than quadrupled its visibility over federal government devices last year through its host-based sensor program.
It said the expansion of the program – which “collects telemetry from government devices” to improve the detection of intrusions – went from a pilot covering 10,000 devices to 40,000 devices.
“The expansion has provided the ACSC with improved visibility of Commonwealth entities’ ICT systems, enabling the ACSC to provide threat surface reports to participating [entitles],” it said.
“These reports provide entities with insight into their cyber security posture, as well as targeted uplift advice, for those ICT systems enrolled in the program.
“In 2020, the ACSC produced 20 of these reports for participating Commonwealth entities.”
The ACSC also recently established the protective domain name system, which it describes as a “scalable cyber defence capability”.
“Under the pilot, the ACSC processed approximately 2 billion queries from eight Commonwealth entities over the period from April to December 2020 – and blocked 4683 unique malicious cyber threats, preventing over 150,000 threat events,” it said.
“In 2021–22, the capability will be offered to all Commonwealth entities.”
Cyber resilience remains “low”
The report also reiterates ongoing issues around compliance with the government’s mandatory cyber security controls, with only 33 percent of agencies reporting a ‘managing’ level of maturity for the Essential Eight contols in 2019-20.
An agency is considered as having achieved the ‘managing’ maturity level when it has implemented all of the Top Four cyber security controls and has considered the remaining four remaining voluntary controls.
“Initial analysis from AGD’s 2019-20 PSPF maturity reporting shows that entities’ self-assessed implementation of the mandatory Top Four mitigation strategies remains at low levels across the Australian Government,” ACSC said.
The bulk of agencies (55 percent) reported having a ‘developing’ level of maturity, which means an agency’s implementation of the Top Four has been “substantial, but not fully effective”, while 11 percent reported having an ‘ad hoc’ level of maturity – the lowest possible score.
Only one percent of agencies achieved the highest rating under the maturity model, though this was worse than the two percent of agencies that reported having an ‘embedded’ level of maturity in the 2018-19 reporting period.
Despite the results, the ASD said agencies were “still making positive progress in improving their cyber security culture”, citing particular improvements in governance, training and leadership engagement.
For instance, around 12 percent more of entities are now “fully aligned with the [‘user application hardening’] mitigation strategy compared with 2019”, while 10.5 percent of entities have “progressed from mostly to fully aligned with the ‘application control'”.
“In 2020, implementation of the Essential Eight across Commonwealth entities improved slightly in comparison with previous years,” ACSC said.
“More Commonwealth entities are taking steps to apply the baseline strategies and increase the maturity of their implementation.”
The ACSC also noted that 75 percent of agencies now include cyber resilience in their business continuity plans and have developed incident response plans, up from 51 percent in 2019.