Vulnerability hunters for the NSW state government turned up more than 22,000 vulnerabilities in NSW government systems last year, according to Cyber Security NSW’s 2022 year in review report.
The report, published just ahead of the government entering caretaker mode, states that the cyber security team works out of the NSW town of Bathurst.
Running on-request external scans of NSW government systems, the Cyber Security NSW team turned up more than 22,000 vulnerabilities, the report said.
The scans also detected and reported 23 “sensitive information disclosures", the report said.
Another highlight of the report is that the agency tested the strength of passwords in agency and council Windows networks, and turned up 77,000 across 14 entities that had been seen in previous data breaches.
The Log4j vulnerability was also key to-do for the agency in 2022, having emerged at the end of 2021.
While it didn’t reveal how many instances of Log4j it found on government systems, Cyber Security NSW said: “Several NSW government entities observed scanning activity and exploitation attempts, with some taking entire systems offline as a precautionary measure until patches had been released, tested and implemented.”
Cyber Security NSW’s direct Log4j activity included circulating advisories, meeting with stakeholders to “ascertain capabilities and patching status,” and hosting information sessions to help councils.
Addressing the audit
In February, the NSW Auditor-General criticised Cyber Security NSW for falling short in the services it delivers to councils, and for not auditing agency cyber security maturity assessments.
In its year in review, the agency said part of its response to that audit will be delivered on July 1, which it says will “include an assurance methodology to assist NSW government agencies in consistently assessing and reporting their compliance" with NSW cyber security policies.
“In addition, it will provide greater clarity on cyber security maturity and uplift strategies," the report states.
During last year, a cyber security uplift toolkit was offered to NSW government agencies. Security guidelines for NSW local government were also drawn up at the end of last year.
Cyber Security NSW noted that "funding remains a key challenge" for agencies and councils to meet cyber security objectives.
The organisation added that it also created an inaugural 2022 NSW Government Cyber Threat Report analysing incidents experienced by agencies, but said that it is a restricted document and as such would not be made public.