National Audit Office of Denmark

Report to the Public AccountsCommittee on mitigation of cyber attacks Read full text in English

2013 report autoID-Rigsrevisionen:20140212212745

This report concerns the action taken by Danish government bodies to prevent cyber attacks. Behaving sensibly in cyberspace to avoid attacks is important, but should be supplemented by technical security controls that can increase security and mitigate cyber attacks. International studies have concluded that three central security controls can prevent the majority of the currently known types of attacks: - technical restriction of download of programmes; - limited use of local administrators; - systematic software updates. Rigsrevisionen has assessed whether the government bodies in the study have addressed the risk of cyber attacks and whether they have implemented these three security controls.

In the report: part Main Conclusion (page 5)

- None of the four audited agencies had addressed their own exposure to cyber attack risk in their risk assessment reports

- Management had not addressed how a decision not to implement the basic security controls would affect the security of the agency

In the report: part Responsibility for the security of the government bodies (page 13)

- It appears from the standard agreement entered between the Danish Agency for Governmental IT Services and the clients that the agency is responsible for the IT infrastructure operations and security, whereas the government bodies are responsible for running and ensuring the security of their professional support systems

- the agreement also refers to security updates, but not to download of programmes or the use of local administrators

- Rigsrevisionen is of the opinion that the agreement does not clearly specify how responsibilities concerning the security controls referred to in this report, should be divided between the parties

- choices made by the individual government bodies concerning their professional support systems affect the agency’s efforts to develop a secure IT infrastructure, which again affects the security of the government bodies

- the agency’s choices concerning the IT infrastructure security affect the government bodies’ business opportunities

In the report: part Examination of the three security controls (page 7-8)

- none of the government bodies had implemented any technical restrictions concerning downloads

- the four government bodies have all chosen to grant local administrator privileges to all members of staff

- The Agency for Governmental IT Services and the Danish Energy Agency are both updating their programmes systematically, as opposed to the two other bodies in the study

- this approach increases the risk that staff members – unknowingly – download malicious software like, for instance a hacker’s remote control software

- An attacker may take over the rights of a local administrator and, for instance, close the anti-virus programmes and other programmes designed to mitigate attacks, and then proceed to gain access to other IT systems in the organisation. The system privileges of local administrator can be used by attackers to install various malicious programmes on the computer.

- attackers may use weaknesses in programmes like, for instance, Adobe Reader, Adobe Flash Player, Java and the browsers (e.g. Internet Explorer) that are installed on most computers

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.