Report 28

Malware in the WA State Government

Introduction and Overview

Malware, short for malicious software, is a more visible part of a growing cyberthreat. Industry experts agree it is a case of not if, but when, an entity will be breached. Government agencies that store significant amounts of confidential and highly desirable personal information are prime targets for infiltration and attacks. The cost to the Australian economy of responding to cybercrime, including malware, is estimated to be as high as $1 billion per year.

The objective of this audit was to determine whether selected government agencies have effective controls to prevent, detect and respond to malware threats and malicious software infecting their computer systems.

Overview

Malware is a term used to describe all kinds of harmful or undesirable computer programs. Computer viruses, worms, and Trojans are all types of malware.

Malware can be designed to steal information from a user, such as usernames and passwords for online accounts, credit card numbers, and files or documents. It can also enable an attacker to have remote control of a computer and access to any connected networks.

In recent years, a popular malware variety known as ‘ransomware’ has emerged. This encrypts a user’s files and demands a ransom payment to unlock them. Some malware will also delete or corrupt files to disrupt a user. Ransomware attacks, when they succeed, are obvious to the user. Other types of malware will try to hide, operating without the user knowing for as long as possible.

There are 3 main ways that malware can infect a computer: downloading a malicious file, opening attachments to spam email, or using an infected USB stick or device. Malware creators will either trick a user into running their malware, or, exploit vulnerabilities in software to force the installation. Often, the user will be unaware that malware has installed itself.

figure-1-simple-overview-of-the-malware-infection-process

There are many parties involved in the protection and security of Australian government networks. Federally, the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD) mandate security requirements. Federal agencies are also required to report all security incidents to the ACSC.

Historically, the WA government has only had high-level cybersecurity requirements. A Public Sector Commissioner’s Circular[1] requires agencies to address cybersecurity risks. The Office of the Government Chief Information Officer (GCIO), which was established in July 2015, recently published the WA Digital Security Policy. However, the all-important security standards that will support the policy are still in development.

We performed 2 types of tests to assess if IT security at 6 agencies was effective at countering malware threats:

  • Compared agencies’ security processes and tools against recommended good practice. The traditional defence for malware has been anti-virus software. However, attacks have evolved to require more layers of security controls.
  • Analysed agency network traffic for any evidence of active malware infections and attempted malware attacks. At the first agency we captured traffic from outside its network, but this did not allow us to fully analyse the results. At the remaining 5 agencies we captured traffic from inside their networks.

Our assessment of network traffic had limitations. We could only capture data for short periods, 10 to 12 days including weekends, per agency due to the enormous volume of data. We were also unable to analyse encrypted network traffic, and our automated analysis tool could only check for known malware. It is therefore possible that there were more infections than we found in this audit. Further details of how we conducted this audit are included in Appendix 1.

[1] Public Sector Commissioner’s Circular 2010-05: Computer Information and Internet Security.

 

 

 

 
Page last updated: December 7, 2016

Back to Top