What should be Australia’s public sector response to strengthening online security?
Government employees and contractors are prime targets for cyberattacks because of the information they have access to. Federal, state and local government systems contain a lot of sensitive data, such as social security numbers and medical information.
Research continues to show that the majority of data breaches result from stolen login credentials. Basic authentication such as a username and password, or even common forms of two-factor authentication (2FA), like SMS, are no longer adequate to protect data, systems and applications against today's increasing cyber threats. They can be susceptible to phishing and other remote attacks.
One recent example with a payroll provider resulted in 80,000 South Australian public servants having their personal information stolen. This ransomware attack was the second significant cyberattack on the company since November.
While technology evolves, so must the public sector's behaviour to mitigate the threat of cyberattacks.
With a high proportion of cyberattacks focusing on credential theft, strong multi-factor authentication holds the power to reduce the impact drastically. Strong 2FA and multi-factor authentication (MFA) require that a user provides more than just remembered details (which can be stolen) to verify their identity.
To protect citizen data and promote the continuing, uninterrupted provision of public sector services, organisations should deploy security programs, such as the Australian Cyber Security Centre's (ACSC) Essential Eight, that incorporate multi-factor and phishing resistant authentication to thwart attacks.
The profile of an attack
User identity or credentials, being the forms of verification people use to gain access to digital services, applications and systems, are the most sought-after data in the initial phase of a cyberattack. According to a 2019 report, over 80% of data breaches result from compromised credentials. Once breached, they provide a route for cybercriminals to potentially move throughout a system, compromising more data.
Cyberattacks are often multi-step; for example, stolen credentials may be the route in to deploy malware. Unfortunately, there are a range of ways for credentials to be stolen, including SIM swapping, man-in-the-middle attacks, password spraying, phishing and credential stuffing.
High profile security breaches and incidents were a wake-up call for the U.S. government this year. In May 2021, President Biden released an executive order mandating all U.S. government agencies to implement MFA within 180 days. Subsequently, in September, the U.S. government issued its Draft Zero Trust Strategy, which requires Federal agencies only to use multi-factor authentication that is phishing resistant.
Phishing resistant MFA, based on public/private key cryptography, significantly reduces the attacker's ability to intercept and replay access codes as there are no shared codes. Additionally, the authentication action can only occur between the user's device and the site they are going to.
Can you imagine how the Asia Pacific region would be impacted if there was a similar attack on Australia's drinking water supply, telecommunications networks, or electricity services providers? These services play a very important part in our day and which we take for granted. A cyberattack of these critical infrastructures would create chaos for our work, businesses and households.
Protecting citizens and services
Additional identity verification through, for example, hardware-based authentication helps counteract the risks associated with compromised credentials. The Essential Eight Maturity Model supports the implementation of strong, phishing resistant MFA at Maturity Level 3, with the use of physical security tokens, such as smart cards and security keys. These new hardware-backed security devices are leading the way in eliminating phishing and man-in-the-middle attacks, protecting users from having their credentials compromised and organisations from being breached.
Whilst the U.S. has learnt the hard way, there is an opportunity for the Australian public service to strengthen its cybersecurity processes and protocols so that we're on par with the U.S. We have the framework, but do these recommendations need to be mandated if we're to strengthen the protection of our data further?
Strong, phishing resistant MFA is the best line of defence in strengthening our online security. It's better to prevent or block a cyberattack than to enforce change as the result of the political fallout from a major incident that will force the government of the day to do something.