In the last four to five years, penetration testing has become an integral component of the IT security audits that the OAG carries out in the public administration. The penetration tests have exposed serious discrepancies that we have reported both to the audited organisation and in the AG’s annual report to Parliament.
The reason for using penetration tests as part of our methodology is as a natural consequence to the threat level and challenges that the public administration faces in a digitalised world.
In the late 90's, our IT audits often included analysis of system documentation and procedures. We uncovered many weaknesses, and the auditees eventually advanced in developing policies and procedures. In the early 2000’s, we started extracting data from financial and management systems, such as usernames, access rights, password- and log setups. Again, our reports resulted in greater awareness and improvements in this area.
Digitalisation of the public administration increased throughout the 2000s, as did exposure to the internet. Hence, IT audit shifted its focus to Information Security Management System (ISMS), and we extracted more and more configuration data from networks, firewalls and operating systems. This to ensure that IT security is managed appropriately, both through implementation of an ISMS framework and secure configuration of systems and networks. These audits have identified several vulnerabilities. The public administration has corrected some of these weaknesses in their systems; however, they lack a holistic approach.
To assess whether the overall security is sufficient, we have now added penetration testing to our toolbox. We wanted to find out, regardless of the implementation of ISMS and secure configurations, whether we still could be able to break into and gain control of key systems and access sensitive data. The penetration tests have exposed serious vulnerabilities that the auditees have acknowledged and have started to correct.
Simplified model of how penetration testing can be a tool in ISMS audits
It is important to note that penetration tests are carried out in collaboration with the auditee and is one of several methods to shed light on the security measures at the auditee. Penetration testing alone cannot cover all attack vectors. It is also important to point out that even if we, through our penetration tests should not be successful, it does not mean that others with more time and resources will not be.
In summary, our experience is that penetration testing in combination with traditional IT audit is a good approach to strengthen information security in the public sector.
By Børre Lagesen, special advisor, SAI Norway