22k vulnerabilities in NSW govt systems uncovered last year

Justin Hendry

In-house threat hunters based in regional New South Wales uncovered and remediated more than 22,000 vulnerabilities in state government and local council systems last year through proactive monitoring.

That’s according to the Cyber Security NSW 2022 Year in Review report, which also reveals more than 77,000 passwords in use at agencies and local councils had previously been compromised in data breaches.

The report, released last week, comes three week after the NSW Auditor-General found the agency had “no plan” to achieve the cyber maturity level uplift across government that was key to the business case behind its 2020 expansion.

Cyber Security NSW said its team based out of the Bathurst cybersecurity vulnerability management centre established in July 2020 detected more than 22,000 vulnerabilities during on-request external scans last year.

A spokesperson told InnovationAus.com that the figure includes Cyber Security NSW scanning on both council and state government agencies but “does not include active scanning and controls put in place” by individual agencies.

“Cyber Security NSW provides the requesting NSW government entity with notifications of where these vulnerabilities are and advice for remediation, including patching guidance,” the spokesperson said.

“These proactive scans enable entities to remediate vulnerabilities before they are exploited. Cyber Security NSW is not aware of any identifies vulnerability being exploited before remediation.”

The centre also piloted a continuous internal vulnerability monitoring service with four councils, building on its penetration testing services, which it offers to local councils and state government agencies alike.

The report also reveals that more than 77,000 accounts across 14 local councils and state government agencies were found to be using passwords that had previously been compromised in data breaches.

The internally developed tool “compares users’ passwords in Microsoft’s Active Directory environment to the Have I Been Pwned database”, according to the spokesperson, while also analysing “other security metrics, such as whether users have duplicate passwords”.

Upon the competition of a scan, which are requested by NSW government agencies, Cyber Security NSW “works with the entity’s administrators to remediate password weaknesses systematically”, the spokesperson said.

“These proactive scans enable entities to remediate password weaknesses before they are exploited. Cyber Security NSW is not aware of any of the 77,000 passwords being used to access NSW Government systems without authorisation.”

In light of last month’s audit, the report indicates Cyber Security NSW stopped its compliance and assurance programs in June 2022 to “reduce duplication and burden on entities”, with agencies now left to their own devices.

“After review and analysis, Cyber Security NSW determined it is most effective for compliance and assurance to be undertaken by the internal audit teams of NSW government clusters and agencies, as they should be auditing against the NSW Cyber Security Policy self-assessments,” the report said.

Cyber Security NSW said a “key challenge” for the government meeting its own policy is funding. More than than $240 million has been provided to cybersecurity through the Digital Restart Fund since 2020.

NSW Labor have committed to reviewing Cyber Security NSW if it forms government later this month. Shadow digital minister Yasmin Catley has said that regular auditing and compliance should be used to drive improvements across government.

Do you know more? Contact James Riley via Email.

Leave a Comment