Home›Questions on Notice›QoN 3791

❓ WA Parliamentary Question reveals penetration testing activities within the Education and Training portfolio, including social engineering and website security assessments across various departments and TAFE colleges. Some entities did not include social engineering tests in their penetration testing.

AnsweredQoN 3791Legislative Assembly

Asked

14 August 2018

Member

Mr Z.R.F. Kirkup

Portfolio

Education and Training

QuestionView source ↗

For all departments, agencies, government trading enterprises or boards within the Minister’s portfolio responsibilities, I ask since 11 March 2017: (a) Have any independent consultants or companies been engaged to run penetration or 'White Hat' tests on any internal or external network systems: (i) If so, what consultant or company was engaged and on what date; (ii) If so, did it include any social engineering or phishing tests; and (iii) If not, why not; and (b) Have any independent consultants or companies been engaged to run penetration or 'White Hat' tests on any websites: (i) If so, what consultant or company was engaged and on what date; and (ii) If so, what website (domain only) was tested?

AnswerView source ↗

Answered

18 September 2018

Responded by

Minister representing the Minister for Education and Training

Response time

9 days

(a) Yes.
(i) Diamond Cyber Security were engaged to conduct an external penetration test in May 2018.
(ii) Yes.
(iii) Not applicable.
(b) Yes.
(i)   Diamond Cyber Security were engaged to conduct an external penetration test in May 2018.
(ii) The Penetration Testing included the websites of the Teacher Registration Board, Training Accreditation Council and the former Department of Education Services, specifically including the following domains:
http://www.trb.wa.gov.au ;
http://www.tac.wa.gov.au ; and
http://www.des.wa.gov.au .
Department of Training and Workforce Development
(a)   Yes
(i)    ES2 Pty Ltd – 20/03/2018
(ii)   Yes
(iii)  Not Applicable
(b)   Yes
(i)    ES2 Pty Ltd were engaged 20/03/2018 to perform penetration testing of websites for the Department of Training and Workforce Development and the five TAFE colleges.
(ii) www.dtwd.wa.gov.au ,
www.northmetrotafe.wa.edu.au ,
www.southmetrotafe.wa.edu.au ,
www.northregionaltafe.wa.edu.au ,
www.centralregionaltafe.wa.edu.au ,
www.southregionaltafe.wa.edu.au
North Metropolitan TAFE
(a)      Yes
(i)       ES2 Pty Ltd – 20/03/2018
(ii)      No
(iii)     This was not included in scope of sector security review. Social engineering was tested as part of Audit by Global2020 in August 2017
(b)     Yes
(i)      ES2 Pty Ltd – 20/03/2018
(ii) www.northmetrotafe.wa.edu.au
South Metropolitan TAFE
(a)     Yes
(i)      ES2 Pty Ltd – 20/03/2018
(ii)     Yes
(iii)    Not Applicable
(b)     Yes
(i)      ES2 Pty Ltd – 20/03/2018
(ii) www.southmetrotafe.wa.edu.au
North Regional TAFE
(a)     Yes
(i)     ES2 Pty Ltd – 20/03/2018
(ii)    Yes
(iii)    Not Applicable
(b)    Yes
(i)     ES2 Pty Ltd – 20/03/2018
(ii) www.northregionaltafe.wa.edu.au
Central Regional TAFE
(a)    Yes
(i)     ES2 Pty Ltd – 20/03/2018
(ii)    Yes
(iii)    Not Applicable
(b)    Yes
(i)      ES2 Pty Ltd – 20/03/2018
(ii) www.centralregionaltafe.wa.edu.au
South Regional TAFE
(a)     Yes
(i)      ES2 Pty Ltd – 20/03/2018
(ii)     No
(iii)    The ES2 sector-wide engagement conducted social engineering tests for DTWD, the lessons from which are to be shared with SRT and other TAFE colleges.
(b)   Yes
(i) ES2 Pty Ltd – 20/03/2018
(ii) www.southregionaltafe.wa.edu.au
Building Construction Industry Training Fund
(a)             No
(i)-(iii)        Not applicable
(b)             No
(i)-(ii)         Not applicable

View on Parliament of WA