The NSW Auditor-General claims to have found "no major security flaws" in two New South Wales agencies selected for penetration testing and high-level scanning of emails.
Experts were engaged to test the security of two nameless NSW agencies certified to ISO27001, the auditor-general's brief report has revealed.
The Auditor-General's department refused to disclose which agencies had been tested.
The penetration testing uncovered several "non-major" security issues facing government agencies including SQL injection, where the attack involves illicit SQL commands through a web application for execution by the backend database.
"It is perhaps one of the most common attack techniques currently used with the usual object being data theft," the report noted.
The attack can be readily countered through server-side sanitisation routines, restricting the use of dynamic SQL and replacing SQL in web application code with calls to stored procedures.
Other weaknesses identified in the Auditor-General's penetration testing included:
- a failure to terminate remote access sessions.
- Sniffing (transmission of data between systems and remote applications in easily read and modifiable form).
- Weak encryption methods.
- Login credentials stored by the user’s web browser.
- Out of date operating system software with known vulnerabilities.