Security maturity is hard and the pace of change is hurting

A long-running challenge for the public sector is that security maturity is not a static point-in-time activity or measure. As the threat landscape evolves, so do the underlying risk controls and requirements around protective and preventative measures to reduce the risk of an attack or breach.

Keeping pace with these constantly moving goalposts requires a focus on continuous improvement, sustained investment, and technology systems that are capable of supporting this constant cycle of change.

The most recent assessment of NSW government agencies’ self-reports on security maturity shows some aren’t handling the pace of change, with maturity levels in critical areas receding year on year, including “patching applications and operating systems, implementing multi-factor authentication, restricting administrative privileges and implementing application controls”.

This is problematic for several reasons, not least because these areas align with requirements of the ASD Essential Eight. In NSW, the minimum requirement for Essential Eight is to achieve level one compliance, but even this is now at risk.

Across the last seven years, the NSW Auditor-General noted a decline in maturity in this regard, stating: “Many agencies have not met level one Essential Eight cyber protection measures despite this approach being a focus for many years.”

Not only that, “some agencies reported zero maturity for critical controls such as application control, patching and administrative privilege restrictions”.

That is particularly a problem when you consider the top incident type reported by government entities in Australia is compromised user accounts or credentials, according to ASD data.

It’s also problematic when you consider the proportion of government workloads that are hosted or administered by third parties via outsourced arrangements. As the NSW audit shows, a not-insignificant proportion of systems and workloads classified as ‘crown jewels’ are outsourced.

Threat actors know this and frequently target third parties, either for direct access to government data or as a pathway into government systems. Major breaches of third parties are occurring at a run rate of at least one a year, according to the NSW audit. From a risk perspective, even one serious breach per year is one too many.

To be clear, this is not a problem unique to governments. Recent years have pointed to third-party access as the point of origin in many of the most significant breaches in modern history. Third-party access protocols are frequently targeted by attackers as a result of these past successes.

But it does show that governments aren’t immune from broader security challenges impacting other vertical industries.

It also reinforces a key point of the NSW audit: that controls around secure remote and privileged access aren’t where they need to be.

While these audit results are specific to NSW, departments and agencies in other states and territories, and in other tiers of government, have many of the same challenges and remain susceptible.

An ‘uplift’ focus and commensurate investment is required to reverse the current trend and bring the public sector back within acceptable risk tolerances when it comes to implementing key Essential Eight controls.

Three areas for capability uplift

Governments have long known they need to get ‘ahead of the game’ when it comes to addressing cybersecurity risks and embracing industry best-practice frameworks — such as the Essential Eight maturity model — to uplift their controls.

Three capabilities should be considered non-negotiable when it comes to creating that uplift.

First, a review of access control and privileged user account management at least once a year is advisable. This is particularly important given the high incidence of attacks on governments via compromised user accounts or credentials. If a review activity hasn’t already been conducted this year, it should be prioritised as soon as practicable, given the current audit landscape. Having the ability to automate these reviews can allow them to be run more frequently and at a lower cost, enabling drift in the efficacy of controls to be picked up sooner — before they become an audit issue.

Second, governments should adopt modern privilege access management (PAM) identity security technology capable of securing privileges at multiple levels such as privileged users and assets, performing session management, and importantly include automation to discover and onboard all privileged accounts, secure access to privileged credentials and secrets, and audit all privileged activities. Given continued outsourcing, including of critical workloads, it’s important to look holistically at the restriction of admin rights across internal and externally hosted data and environments.

Indeed, identity security starts with visibility. Without having the full picture of your identity landscape, access review, modern PAM strategies and application controls will not be as effective as organisations would like. Understanding where risk exists within your identity landscape will allow governments to successfully review entitlements, apply a strategic and effective modern PAM approach, and layer least privilege with application control to better protect their organisations from both intern and external threats.

Third, entities should focus on application controls to further enhance the security of environments. As much as organisations want to standardise their applications and tooling, there will always be legitimate requests for exceptions. How these are handled is important. Assessing the legitimacy of the request or validity of the need — for one-off access to a new application, or for an operating system task requiring elevation or to access a file or macro — needs to happen relatively expediently.

Just as there are a range of contexts in which a user or a system may request an exception — whether the user sits inside the entity, or in an outsourced partner — there should be a range of ways available to handle the request, perhaps based on preconfigured policies or the severity of the risk associated with granting access.

The response should naturally change based on user characteristics: what they’re doing, where they are, and the confidence with which their corporate identity — who they say they are — has been established. With these three capabilities in place, public sector entities will be best positioned to uplift their security maturity now and into the future while having the tools to maintain or advance their maturity levels, even as requirements change. *Christopher Hills is Chief Security Strategist at BeyondTrust

Top image credit: iStock.com/elenaleonova