Feeds

Auditor to Oz PM&C: Don’t use Webmail for leaks

Security spooks slap sloppy civil servants

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Australian cloud computing chauvinists are prepping the “#GovDoesn’tGetIt” hashtag after the Australian National Audit Office (ANAO), with a bit of help from the spooks in the Defence Signals Directorate, identified services like Hotmail and Gmail as key vulnerabilities in government information security.

As noted many years ago in Yes Minister, “the ship of state is the only ship that leaks from the top”, so it’s unsurprising that the Department of Prime Minister and Cabinet is identified in the report as allowing its staff to access Webmail.

The ANAO report stated that while government information security was mostly acceptable – “generally operating in accordance with Government protective security requirements” in agency-speak – public web-based email services provide too many vulnerability vectors.

“Emails using public web‐based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure. Webmail accounts were accessible in one of the audited agencies, and logs showed that some staff were using these accounts on a regular basis,” the report said.

The review only covered four agencies – the Australian Office of Financial Management, ComSuper, Medicare Australia and the Department of Prime Minister and Cabinet – which perhaps explains why only one agency was found to be allowing access to Webmail services.

The PM’s department outed itself in its response to the report’s recommendations, stating that it will block access to Webmail services from July 1.

The ANAO report recommends that if such access is required in the future, it should be via standalone single-purpose machines like kiosks.

Other vulnerabilities noted in the report include out-of-date policies, and that perennial standby, unpatched third-party software. ®

Beginner's guide to SSL certificates

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.