Public sector mergers create significant cyber risks
Mergers, the reallocation of government functions and other major organisational changes within public sector organisations present major cyber security challenges, according to the Australian Cyber Security Centre.
Major organisational changes present significant opportunity for attackers, such as opportunities to use social engineering and other low-sophistication techniques to cause significant harm, the centre said in a new publication.
A merger between two public sector organisations may increase the chance of systems being misconfigured leaving them vulnerable to compromise, the ACSC warned.
Combining two organisations with different security postures may also lead to assumptions being made about the effectiveness of the combined company’s security controls, and if adversaries have compromised one organisation’s systems, they could be granted easier access to the second organisation’s systems post-merger if systems are connected.
The key to understanding security postures between different organisations is sharing candid information as efficiently as possible, ACSC said. Examples can include an exchange of penetration testing results and cybersecurity incident registers.
ACSC also recommended that agencies consider conducting fresh penetration testing after a major organisational change to verify the security posture of any combined systems.
Before any systems are combined, ACSC recommends that agencies consider questions such as whether the systems are still under vendor support and fully patched, as well as how new systems will be patched, backed up, monitored and managed.
Cybersecurity governance, policies and standard operating procedures may also need to be updated to cover the combined systems.
Another significant challenge of maintaining strong security during organisational change involves file system and other data migration, the publication states.
When data is being migrated online, ACSC urges agencies to use technical measures including encryption and checksums to ensure data is not corrupted or modified in transit, and to appoint two trusted staff to oversee the transfer and verify that data is being sent to the intended destination.
When using public cloud storage as an intermediary, organisations should use cloud storage from a government-certified cloud provider and ensure any cloud storage uses access controls limiting access only to staff and systems involved in the transfer.
Media being used for physical transfer of data should meanwhile be protected in transit and thoroughly wiped before released for general use or disposal, the ACSC advised.
Before importing data into an existing system, organisations should review system and data architecture, business rules and security architecture. Organisations should also take reasonable steps to ensure any imported data is free from malicious software, such as scanning the data with two separate high-quality antivirus products.
Another important prerequisite involves ensuring any sensitive data will be protected with the same level of security or higher in its new destination.
Following data migration, organisations may need to take additional steps to preserve file system permissions, as in many cases there is no native support to move access control lists between different systems.
ACSC also called on organisations to establish well-developed relationships between the operational cybersecurity teams in each organisation early on in the merger process to improve incident response capabilities.
Other factors that must be planned for include the increased potential of a combination of systems to reduce system availability protection capabilities, the need to join network environments while being confident that neither environment is the subject of an active compromise, as well as issues related to how identity and access control is handled in combined systems.
In our annual Leaders in Technology series, we ask the experts what the year ahead holds. Today...
Across the festive season we'll be reprising some of our best articles from 2019. Today we...
Complaints to the Office of the Australian Information Commissioner related to the My Health...