NSW govt agencies told to pen-test
NSW government agencies should conduct regular network penetration tests to rectify abysmal IT security findings, according to the NSW auditor.
(Broken doors image by Eran Sandler, CC2.0)
State auditor Peter Achterstraat outlined six areas in a report (PDF) released this week which government agencies should address to improve security, including the use of penetration testers.
The recommendations were a follow-up to an Electronic Information Security report released in October, which berated the NSW Government for failing to "assure the people of NSW that all its agencies are properly safeguarding sensitive private information".
"…penetration testing and email scanning are worthwhile tools to identify security issues and obtain assurance of robust defences against unauthorised access to data," Achterstraat wrote in the report.
The October audit tested agencies on compliance to the international standard ISO 27001 which mandates baseline information security practice.
Two agencies compliant with ISO 27001 were praised in this week's report, which suggested the standard is a "good basis for building strong electronic information security".
But the standard has been criticised by some industry experts.
"My complaint with ISO 27001 is that what the standard says isn't exactly what happens in practice," Securus Global managing director Drazen Drazic said.
He said there is a vast disconnect between the objective of the standard and "the reality of security".
Previous research into the standard by IT firm CA found that almost half of the 241 IT manager respondents who had implemented the standard had poor access management.
Despite adhering to the standard, Achterstraat said in the latest report that the two agencies had advised they will rectify a string of security problems identified in the audit as "opportunities for improvement".
| Issue | Explanation | Possible remedial action |
|---|---|---|
| Database access not secured in web applications | SQL injection is a hacking technique whereby the hacker sends illicit commands through a web application for execution by the back-end database. It is perhaps one of the most common attack techniques currently used with the usual object being data theft. | This form of attack takes advantage of improper coding of applications, so it can be readily countered through best practice coding techniques. |
| Failure to terminate remote access sessions | Session hijacking refers to the exploitation of a valid computer session to gain unauthorised access to information or services in a computer system. When a remote user ceases to use a web application the session must be terminated. Not doing so provides an opportunity for a hacker to hijack the session and penetrate security. | Sessions can be configured to end after a short period of inactivity or when system errors are detected. |
| Transmission of data between systems and remote applications in easily read and modifiable form | Sniffing refers to the act of intercepting the transmission of data between systems and remote applications. Transmissions in plain text format are problematic. Where the data is the user's identification and password sniffing provides an opportunity for spoofing — impersonating the user to breach the agency's security perimeter. Where the data is private information, its interception can result in data theft or unauthorised modification in transit. | This can be addressed through encryption of all such traffic. |
| Weak encryption methods | Encryption is the security process of converting text or data into a coded form unreadable to anyone without the specific key. Weak ciphers can easily be decrypted giving the hacker access to agency information. | Strong ciphers are recommended, as well as application of encryption to cookies because these can contain session parameters. |
| Log-in credentials stored by the user's web browser | Log-in credentials can be stored by some users' web browsers. This can potentially permit unauthorised personnel with access to the computer gain access to the agency's systems. | Disabling of auto-complete on all web applications' log-in forms is recommended. |
| Out-of-date operating system software with known vulnerabilities | Out-of-date operating systems software with a memory-corruption vulnerability in Server Message Block (SMB, also known as Common Internet File System) can permit a hacker to execute code on the server (such as install applications, create accounts or modify data) or perform a denial-of-service attack upon it. | A regime involving the timely installation of patches is recommended. |