Claus B. Jensen IT Auditor, CISA, CIA I am employed in Rigsrevisionen, Denmark. (Danish National Audit Office) I have worked within IT Audit since 1995, both as internal and external auditor and now in the public sector. CISA certified 1998 1
Rigsrevisionen- About us? Rigsrevisionen - the Danish National Audit Office - is an independent institution, which since 1991 has been placed under the Danish Folketing (parliament). Rigsrevisionen employs about 270 people 2
Main conclusion from the report: The data for which the government bodies were responsible was not, at the time of the examination, adequately protected and the level of security exposed the IT systems and confidential data to undue risk of cyber attacks. Public Accounts Committee is concerned that the examined government bodies had insufficient security against hacker attacks and insufficient protection of IT systems and confidential digital data. 4
Rigsrevisionen recommends that: 1. all government bodies should address the risk of cyber attacks in their risk assessments and 2. consider whether the implemented technical restrictions on downloads of programmes from the Internet and the number of local administrator accounts have been adequately limited, and 3. whether applied software programmes, etc. are being updated regularly. 5
Rigsrevisionen recommends that: and that: 1. the Ministry of Finance should clarify how responsibilities for cyber security should be divided between the Danish Agency for Governmental IT Services and its clients; 2. the Ministry of Finance and the Danish Agency for Digitisation should, develop guidance for all government bodies on the implementation of security controls to mitigate cyber attacks. 6
Based on experience from previously performed IT audits, the Danish National Audit Office is of the opinion that the results of the examination may apply to a wider audience of government bodies than those included in the audit. 8
Objectives 1) To assess whether selected government bodies had sufficient focus on mitigating cyber attacks. 2) In relation to the Danish Agency for Governmental IT Services, we focused particularly on its assessment and test of the risk that an attack on one of its clients could spread to other clients, as the security level of the agency and its clients should be considered collectively because security weaknesses identified either at the agency or one of its clients could potentially affect other clients. 3) Finally, we checked whether the risk associated with a decision not to implement the controls had been recorded in the risk assessment reports in a manner that reflected that management had addressed the risk and the possibilities of mitigating cyber attacks. 9
BEST PRACTICE Technically restricted staff s options to download programmes; Limited use of local administrators and Domain Administrators; Systematic software updates. 10
HOW WE DEFINED BEST PRACTICE In October 2012, the Australian Department of Defence estimated that around 85 % of all cyber attacks can be mitigated through the implementation of these few security controls. 1. technical restriction of download of programs from the Internet; (Whitelisting) 2. limited use of local administrators 3. systematic software updates. 11
The three controls are also found on the SANS Institute s prioritised list of 20 critical security controls referred to as quick wins. According to the Danish GovCert, the conclusions from the Australian report and other similar reports can be transferred to a Danish setting. The Danish National Audit Office is of the opinion that unless otherwise justified implementing the three security controls is now to be considered good practice. 12
HOW WE CONDUCTED THE SURVEY We spent the first 4 weeks scanning the marked for security tools to anlyse and test if the 3 security controls were implemented. NO We simply asked the clients, have you implemented: 1. technical restriction of download of programs from the Internet; (Whitelisting)? 2. limited the use of local administrators? 3. systematic software updates? 4. If YES - we asked for documentation 13
Objective no. 1 Examination of the three security controls Had the selected government bodies implemented the three recommended security controls? 14
The results of the examination 15
Conclusion objective no. 1: The data for which the government bodies were responsible was not, at the time of the examination, adequately protected and the level of security exposed the IT systems and confidential data to undue risk of cyber attacks 16
Objective no. 2 Examination of specific security controls at the Danish Agency for Governmental IT Services (Shared Service Center solution) Risk of cyber attacks spreading Risk connected to extensive use of domain administrators 17
The results of the examination 1. It turned out that the Danish Agency for Governmental IT Services had not assessed the risk of an attack on one government body compromising the IT security of the agency s other clients. 2. Nor had the agency conducted tests to establish whether an attack on one government body could compromise the system security of the agency s other clients. 3. The Danish Agency for Governmental IT Services had granted rights and permissions to a large number of domain administrators a practice that represents a significant risk in relation to potential attacks. 18
Conclusion objective no. 2: The Danish Agency for Governmental IT Services has not to the extent required addressed the risk that a cyber attack on one government body with inadequate security controls could spread to other bodies, for instance, through the shared services. 19
Objective no. 3 we checked whether the risk associated with a decision not to implement the controls had been recorded in the risk assessment reports in a manner that reflected that management had addressed the risk and the possibilities of mitigating cyber attacks. 20
The results of the examination objective no. 3 None of the four government bodies had in their risk assessments recorded why technical restrictions concerning downloads from the Internet had not been implemented. 21
Does it matter? Should we be concerned? If YES why? 22
Some samples from out there 23
Several of the government agencies that rely on the services provided by the Danish Agency for Governmental IT Services have in recent years been affected by successful cyber attacks. According to the Danish Centre for Cyber Security some of the attacks could have been avoided, and the consequences of the majority of the attacks considerably reduced, if the three security controls referred to in this report had been implemented in the agencies. 24
Hackerangreb mod Erhvervs- og Vækstministeriet 2012 Søren Vulff, Vicedirektør, Statens It 25
april 2014 26
STATENS IT LUKKER INTERNET FORBINDELSEN TIL EVM OG FORETAGER ANALYSE/OPRYDNING 27 april 2014
HVAD VAR DET, DER SKETE? Vi ved ikke, hvem der stod bag, men alt tyder på en statssponsoreret aktør. Vi ved ikke, om de fik fat i noget - og i så fald, hvad det var. Vi ved dog, at de ikke kom ind på nogen af de centrale systemer. Da vi fulgte dem via logs, kunne vi se, at de målrettet gik efter at finde driftsdokumentation og systembeskrivelser. De arbejdede i dansk kontortid. Vi var klar til hele tiden at afbryde forbindelsen, hvis de nærmede sig vitale systemer. 28 april 2014
HVAD LÆRTE VI? Ingen ved, hvor lang tid det kommer til at tage! Man har begrænset tid, så indsatsen skal være meget målrettet. Klar rollefordeling - ikke kun i forhold til det tekniske, men også i forhold til beredskabsledelse og kommunikation, herunder håndtering af presse. Vi blev hjulpet af, at vi var midt i en konsolidering og kunne meget hurtigt prioritere at idriftsætte IPS-enheder (Intrusion Prevention System) ift. Erhvervs- og Vækstministeriets netværk. Vi fik opbygget et meget frugtbart samarbejde sammen med andre myndigheder i situationen. 29 april 2014
Who s Targeted Verticals Hundreds of targets Dozens of campaigns Direct/Indirect attacks Symantec Security Response 30
31
Norway hit by hackers Danish newspaper March 21. 2014 Den Nationale Sikkerhedsmyndighed (NSM) registered 15.815 security events in 2013. 50 was registered as successful hacker attacks! Govermental agencies, Defense Industry and Tekno industry Hackere tok over Gjensidiges nettsider Massive angrep rammer norske servere PCer benytter seg av NTP-servere for å synkronisere dato og klokkeslett. Disse serverne ble mandag målet for et kraftig DDoS-angrep. En norsk kommune utsettes for 6000 dataangrep i døgnet 32
Nobody is to small to be hit by a Cyber Attack Excerpts from the Danish Beekeeper Association's annual report Danish Beekeepers' Association operates several websites. We've had problems with hackers among other biplanter.dk and honningfestival.dk. The latter has been hacked twice in the past year. Now both sites have been cleaned and updated, so that will not happen again. 33
What was our goal to bring this area into focus? 1. To put cyber security on the agenda of policy makers at the Danish Government bodies - Attacks on several government bodies in recent years have accentuated the need for increased security in the Public Sector. 2. To spread the word that these three simple and cheap central security controls can prevent the majority of the currently known types of attacks. 3. Go well in hand with the implementation of ISO 27001 (To be implemented by all Danish Governmental agencies by 2014) 34
35
Thank you for your attention The report can be downloaded on www.rigsrevisionen.dk (in Danish and English) http://www.rigsrevisionen.dk/media/1943098/forebyggelse-af-hackerangreb.pdf 36