Parliament House attack a tough lesson on credential security

As forensic specialists assess the damage, government and corporate CISOs should weigh their exposure to nation-state attacks

Credit: ID 128782397 © Alexander Yakimov |

The high-profile breach of Australia’s Parliament House highlights a rising climate of nation-state attacks that will drive a cybersecurity reckoning across both public and private sectors, experts have argued as the fallout from the attack continues to emerge.

A growing threat of nation-state attack has long had security advisors warning companies to be aware as state-sponsored cybercriminals pursue new strategies and refine their tactics. Recent analyses have, for example, linked state-sponsored attackers to an exploit against Twitter and identified a new nation-state actor suspected to be from the Middle East.

The government has been tight-lipped about the scope of the attack and the information assets that may have been compromised, only suggesting that China may be to blame.

However, its move to quickly reset all passwords meant authorities “should be lauded for their efforts to quickly identify the breach and take precautionary steps to avert any leakage of data,” Forcepoint ANZ senior director Sam Ghebranious said, highlighting the importance of baselining ‘normal’ user behaviour on corporate networks.

“The precautions taken suggest that nefarious actors may be looking to steal the digital identities/credentials of approved users to operate within the parliamentary computer network without being identified.”

Privileged credentials are the key

Risks from stolen credentials have escalated as businesses increasingly rely on credential-based access to external services – which have regularly been compromised by malicious actors. And while there was no indication whether Parliamentary employees’ passwords may have been among the billions leaked in the recent Collections password leaks, such possibilities reflect the challenges even putatively secure organisations like the Australian Parliament face in locking down their credentials.

Restricting administrative privileges based on user duties is a core part of the Australian Signals Directorate’s Essential Eight guidelines, which are mandated for government bodies including the Parliament of Australia.

Yet despite broad recognition of their value, compliance with the Essential Eight has been far from ideal: one recent survey of IT-security professionals found that just 13 percent were using the guidelines to shape their cybersecurity strategies.

Even the guidelines’ precursor, the ASD Top 4, had only been implemented by half of Australian companies nearly a decade after they were introduced.

Ironically, the breach comes just days after the Australian Cyber Security Centre (ACSC) updated the Australian Government Information Security Manual (ISM), which is filled with “both governance and technical concepts in order to support the protection of organisations’ information and systems.”

Joseph Carson, chief security scientist and advisory CISO with Thycotic, believes the breach will be a litmus test of the government’s compliance with best-practice advice such as the idea that sensitive data should be encrypted in motion and at rest.

“I hope the Australian Parliament has enforced strong encryption without any backdoors to ensure that if passwords indeed were compromised any sensitive data that could be accessible would not be readable by any attackers,” he said.

“Strong encryption that has no backdoors is the last security control preventing cyber attackers such as nation states from gaining access to sensitive data.”

Tags CISOs

Show Comments