National Audit Office of Denmark

Extract from the report to the Public Accounts Committee on the access to IT systems that support the provision of essential services to the Danish society Read full summary in English

2015 report

The report is focused on the significant risk that is associated with inadequate management and control of domain administrator privileges, which makes it possible for unauthorized persons to obtain access to the IT systems and data of the institutions. Rigsrevisionen has not examined for what specific purposes unauthorized access to the institutions’ systems and data can be used.

In the report: part Conclusions (page 3)

- The study revealed a number of weaknesses in the management and control of domain administrator privileges in all six institutions. Rigsrevisionen would like to highlight the fact that the institutions have not adequately limited the number of domain administrator privileges.

In the report: part Purpose and Conclusions (page 2-3)

- Rigsrevisionen would like to highlight the fact that the institutions have not changed non-personal passwords annually, and the majority of these passwords are up to seven years old. A few of the passwords have not been changed since the late 1990s.

In the report page 4

- The study showed that the use of domain administrator privileges was inadequately logged; for instance, individuals with domain administrator privileges had the option to delete the log. In one case, they could also change data in the log. A trusted IT employee has the option to delete the log either by using his own administrator account or by using a system or service account with domain administrator privileges. Furthermore, a hacker, who e.g. has hacked an account with domain administrator privileges, can also delete log files, which can impede an investigation of security incidents.

In the report page 4

- The study revealed that five of the institutions are not reviewing their log files regularly, which reduces their chances of detecting and resolving abuse of domain administrator privileges and IT security breaches.

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.