Feds fail cyber security
CRITICAL government agencies including the departments of defence, health and home affairs are risking their websites being commandeered by criminals as an audit reveals they have failed to adopt their own security protocols.
Twelve of 14 Federal Government departments were not blocking domain spoofing emails, leaving them vulnerable to being mimicked by criminals trying to trick people into giving up identity details.
This is despite the Federal Government’s own cyber security domain guidance issued four years ago.
For the past 12 months, US-headquartered cyber security firm Proofpoint has analysed all 14 Federal Government departments’ domains to see which ones had adopted the cyber protocols.
Their report from last month concluded: “Only the Department of Finance and the Department of Agriculture, Water and the Environment are fully implemented and proactively blocking domain spoofing emails from their domains … This leaves 12 departments with no proactive protection against cybercriminals impersonating their official domain to send phishing emails.”
Proofpoint’s Australia and New Zealand vice president Crispin Kerr said yesterday Domain-based Message Authentication, Reporting & Conformance (DMARC) was a critical tool in cyber war.
He said spoofing of an agency domain allowed criminals to then send emails on behalf of unsuspecting employees to others to lure them into sending further information for fraud or theft. He said all the states had better cyber protocols than their federal counterparts.
Most government departments have programs to identify fraud emails, as opposed to identifying and blocking poor domains, with Defence conceding there had been delays.
“Defence’s primary internet connected environment is protected from malicious activity via a number of means including its managed gateway service,” a Defence spokeswoman said yesterday of the apparent audit failure.
“The department is progressing a staged implementation of DMARC that includes ensuring changes to security protocols.”