Electronic Information Security

74
NSW Auditor-General's Report Volume One 2011 ELECTRONIC INFORMATION SECURITY

On 20 October 2010, I tabled a report on my performance audit Electronic Information Security. The criterion for that audit was that the Government should be able to show that those systems which hold personal information are certified to comply with the international Information Security Management Systems standard - ISO27001. The criterion was derived from the Governments policy on Security of Electronic Information described in Ministerial Memorandum 2007-04. Originally, I planned to have two additional criteria, that is:

personal information held on selected databases is adequately protected from unauthorised access unencrypted sensitive personal information is rarely emailed outside the selected agencies.

During the audit, I decided to address these as a special review. To reach a conclusion on these criteria, I engaged experts to undertake penetration testing and high-level scanning of email content on two agencies who are currently certified to ISO27001.

Conclusion
The testing performed by our experts found no major security flaws in either agency. This positive outcome suggests that the international standard is a good basis for building strong electronic information security. I also concluded that penetration testing and email scanning are worthwhile tools to identify security issues and obtain assurance of robust defences against unauthorised access to data, although no doubt there are a range of such tools available.

Opportunities for Improvement

While no major flaws were found, the testing did reveal several opportunities to improve electronic information security. The following is a summary of the main weaknesses found by my experts and potential remedial actions. While noting these are not major issues, the agencies involved have advised they will analyse these issues and take appropriate corrective action in accordance with their established risk management procedures.
Security issues identified in technical testing Issue Explanation Possible remedial action

75
NSW Auditor-General's Report Volume One 2011 ELECTRONIC INFORMATION SECURITY

Database access SQL injection is a hacking technique not secured in web whereby the hacker sends illicit applications commands through a web application for execution by the backend database. It is perhaps one of the most common attack techniques currently used with the usual object being data theft.

This form of attack takes advantage of improper coding of applications, so it can be readily countered through best practice coding techniques such as:

server-side sanitisation routines restricting the use of dynamic SQL replacing SQL in web application code with calls to stored procedures.

Failure to terminate Session hijacking refers to the exploitation Sessions can be configured to end after a remote access of a valid computer session to gain short period of inactivity or when system sessions unauthorised access to information or errors are detected. services in a computer system. When a remote user ceases to use a web application the session must be terminated. Not doing so provides an opportunity for a hacker to hijack the session and penetrate security. Transmission of data between systems and remote applications in easily read and modifiable form Sniffing refers to the act of intercepting This can be addressed through encryption the transmission of data between systems of all such traffic. and remote applications. Transmissions in plain text format are problematic. Where the data is the users identification and password sniffing provides an opportunity for spoofing - impersonating the user to breach the agencys security perimeter. Where the data is private information, its interception can result in data theft or unauthorised modification in transit. Encryption is the security process of converting text or data into a coded form unreadable to anyone without the specific key. Weak ciphers can easily be decrypted giving the hacker access to agency information. Strong ciphers are recommended, as well as application of encryption to cookies because these can contain session parameters.

Weak encryption methods

Login credentials Login credentials can be stored by some Disabling of auto-complete on all web stored by the users users web browsers. This can potentially applications login forms is recommended. web browser permit unauthorised personnel with access to the computer gain access to the agencys systems. Out of date operating system software with known vulnerabilities A regime involving the timely installation of Out of date operating systems software with a memory-corruption vulnerability in patches is recommended. Server Message Block (SMB, also known as Common Internet File System) can permit a hacker to execute code on the server (such as install applications, create accounts or modify data) or perform a denial of service attack upon it.