New South Wales (NSW) Auditor General Report Spotlights Cybersecurity Risks Lurking across Local Governments

2021 has been ablaze with largescale cyberattacks causing global disruption (SolarWinds, JBS, etc.) as well as more targeted attacks impacting organizations Down Under (Eastern Health, Nine Entertainment, Oxfam, and the WA Parliamentary Network – during the state election!)

With digital transformation accelerating and everyone adjusting to a “new normal”, how well are local governments across Australia poised to withstand the modern cyber threat scape?

The Report on Local Government 2020 by the New South Wales (NSW) Auditor General sheds some light on the subject. This new report looks at the financial management of the 128 local councils, nine county councils and thirteen joint organizations in New South Wales. The NSW report also delves into the underlying capabilities of these 150 bodies to manage, control, and secure the systems and processes required for financial integrity.

The auditor assesses specific controls for each council, including policies and procedures, IT risk management, user access management, and privileged user access restriction. The report found that “fifty-eight councils have yet to implement basic governance and internal controls” to manage cybersecurity. As the report highlights, without robust access management in place, organizations run the risk of inappropriate access and/or modification of sensitive data or transactions.

One security finding that stood out was that over half of the councils audited had insufficient monitoring of privileged account activities. This is concerning because privileged access is central to almost every security incident and breach today—from establishing an initial foothold, to lateral movement to escalating rights.

Another finding of concern was that one-third of councils had gaps in their user access management process, including inadequate periodic review of user access. Why is periodic review of user access important? In, a report just out from the Identity-Defined Security Alliance (IDSA), timely reviews of privileged access was actually the most cited (50% of respondents) security control that could prevent or mitigate a breach experienced by the respondents. Privilege creep is a real risk, and is easy to overlook. Roles change or people leave the company, yet access and accounts remain active, such as for cloud resources. By routinely re-examining access usage and roles, you can fine-tune provisioning to ensure the organization adheres to least privilege principles. For instance, if an account with privileged access permission has been unused for 30 days, it’s possible that the account is no longer needed and can be removed, eliminating risk. Or, if the account is rarely used, and perhaps only for very highly privileged activities, it may make sense to incorporate additional workflows to grant usage for the account and to send alerts to others when the account is being used, so it receives closer surveillance.

Given that the councils are collectively responsible for managing infrastructure and land assets worth in excess of $150 billion, along with provisioning a vast amount of essential infrastructure and services, these basic, foundational security weaknesses are rather alarming.

Steps to Bolster Security Controls Across Local Governments

While local government does not fall under Australia’s Notifiable Data Breach scheme, at a state level, there is a growing push to hold local governments accountable for cybersecurity incidents that lead to privacy breaches.

New South Wales is leading on this front with legislation before parliament that would force councils to assess and then report on “unauthorized access to, or unauthorized disclosure of, personal information”, which is likely to result in serious harm to individuals involved. With this in mind, IT teams need to address the gaps identified in the recent local government report.

The Australian Cyber Security Centre’s Essential Eight is a series of core mitigation strategies designed to improve the posture of organizations, thereby making it harder for cyber criminals to compromise systems, while also helping to limit the damage of a breach, should one occur. It outlines multiple levels of security maturity, helping to guide organizations in Australia, and around the world, through enhancing their cybersecurity.

Where local government IT teams want to go more deeply, the Australian Government Information Security Manual, (ISM) provides a comprehensive list of guidelines and related security controls.

There is also an increasing push for government at all levels to align their IT security efforts with international standards such as ISO/IEC 27001, SOC 2 and FedRAMP, where appropriate. The Australian ISM and Essential Eight can act as a step toward meeting those international standards.

Maturing Privileged Access Management (PAM) Controls Maximizes Risk Reduction

Privileged access management (PAM) plays a significant role in the Essential Eight, and PAM controls were specifically called out in the NSW report as a glaring deficiency across local governments. Let’s take a closer look at how PAM controls help improve security posture and resilience—and why they are pivotal to surviving and thriving in the new normal.

Stolen credentials continue to be a primary attack vector for criminals to access organizations. Particularly valuable are credentials related to privileged accounts. Phishing is often used to collect these credentials, gain access, and then move throughout an organization, by exploiting privileges and/or vulnerabilities. PAM privileged password management solutions discover, onboard, and vault human, application, and machine credentials, and enforce credential security best practices (complexity, uniqueness, rotation after use, etc.).

While AV and antimalware solutions have a place in defending against known attacks, they are reported to miss 60% of attacks, and are even less effective when new variants of ransomware have yet to be documented. Enter least privilege.

Though least privilege is recognized as one of the most fundamental IT security strategies, the public sector has lagged in implementing it across endpoints. Least privilege focuses on delivering the right level of privilege—and only for the finite moments needed—for the completion of an activity or task. This is a highly effective control at reducing the threat surface from insiders and external threat actors, including ransomware.

As indicated in their Cyber Threat Report, the Australia Cyber Security Centre (ACSC) sees ransomware as the biggest threat to Australian organizations. Endpoint privilege management, also referred to as privilege elevation and deletation, is the PAM solution set used to enforce least privilege across user, server, networked devices, and IoT. The leading endpoint privilege management solutions also provide application control capabilities, providing instant allow or deny decisions for application access or privilege elevation based on allow listing, block listing, and grey listing policies. This further mitigates risks around application security helping to stop malware in its tracks.

PAM solutions should also have a secure remote access component that extends PAM best practices beyond the perimeter, such as to vendors and remote employees. These solutions should be able to proxy access to control planes and other applications, eliminating insecure use of VPN and RDP, which are common methods for ransomware and other threat actors to gain an initial foothold.

In addition, PAM solutions should provide robust monitoring and management of every privileged session, whether it involves a human, machine, application, vendor, or employee. Every action should be tied to a single identity for an unimpeachable audit trail.

Level Up Privilege Security Controls with BeyondTrust

With cyber threats – particularly ransomware and phishing – leveraging a more dispersed workforce and over-privileged accounts, local governments need to prioritize the protection and monitoring of privileged access.

BeyondTrust is recognized by every major analyst as a leader in privileged access management. Our universal privilege management model provides the most complete approach to securing every privileged user, asset, and session. Our platform is comprised of the following solutions that can be deployed together for a complete PAM solution, or individually to improve your privilege security controls in that particular domain.

BeyondTrust Privileged Password Management enables automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets, and auditing of all privileged activities. Security teams can instantly view any active privileged session, and, if required, pause or terminate it. Threat analytics aggregate user and asset data to baseline and track behavior and alert on critical risks. Video recording, keystroke indexing, full text search, and other capabilities make it easy to pinpoint data. Privileged Password Management reduce the risk of compromised privileged credentials for both human and non-human accounts, while helping organizations meet compliance requirements.

BeyondTrust Endpoint Privilege Management combines privilege management and application control to efficiently manage admin rights on Windows, Mac, Unix, Linux, and network devices, without hindering productivity. The solution elevates applications securely and flexibly via a powerful rules engine and comprehensive exception handling. Centralized auditing and reporting simplify the path to compliance. The solution enforces least privilege and eliminate local admin rights with fine-grained control that scales to secure your expanding universe of privileges, while creating a frictionless user experience.

BeyondTrust Secure Remote Access enables organizations to apply least privilege and robust audit controls to all remote access required by employees, vendors, and service desks. Users can quickly and securely access any remote system, running any platform, located anywhere, and leverage the integrated password vault to discover, onboard, and manage privileged credentials. The solution provides absolute visibility and control over internal and external remote access, secure connectivity to managed assets, and creates a complete, unimpeachable audit trail that simplifies your path to compliance.

Contact BeyondTrust today to learn how we can help you securely enable digital transformation, while eliminating dangerous privileged attack vectors.