Case studies


Risks of a compromised website: A PHYSEC, INFOSEC case study

This case study looks at the possible risks associated with managing a public website.

Themes covered include:

  • risks of having official or government information compromised
  • effect of having aggregated information compromised
  • appropriately protecting government information and information storage methods.

Scenario – what happened

A government agency that liaises extensively with external and foreign partners has a thorough and content-rich website to maintain its relationships and provide the public with information. 

The information, documents and resources on the agency’s website are all non-protectively marked information, covering the agency’s structure, trade relationships and various policies and legislation. 

To date, the agency has not conducted a risk assessment on having the information published online.

However, it is discovered that due to poor coding, a hostile foreign agency could hack the agency’s firewall to access all public content, as well as information in a private back-end database not intended for public release. 

Allowing hackers to access to such a range of information would lead to a catastrophic compromise of information and irreparably damage the reputation of the agency.

Lessons – what should have happened

The agency made several errors in this scenario.

The agency should have:

Considered the risks of official or government information becoming compromised

Agencies must factor more than protective markings into their risk assessments when considering the compromise of official or government information. 

As part of a risk assessment a Business Impact Level (BIL) assessment should consider the value of information beyond the protective marking of sections of information or individual documents.

This is particularly relevant to aggregated information, whether it is aggregated on an internal database or accessible in a way that allows it to be aggregated, for example, non-protectively marked information publically available online. 

Special consideration should be given to aggregated information because while the individual components or documents may be assessed to have low value or be non-protectively marked when in isolation, the business impact from the compromise of that information combined may be very high and/or warrant a national security classification.

Considered the effect of having aggregated information compromised

Agencies should consider the effect of a compromise to aggregated information on functionality and the provision of services, client/customer assurance and confidentiality and operational, reputational and/or monetary capability.

Appropriately protected its information and used correct information storage methods

Agencies must ensure they appropriately protect their aggregated information and the devices and/or methods for storing that information:

  • outward/client-facing websites should be appropriately firewalled, coded and have gateway technology applied to prevent unauthorised access or extraction
  • a code audit should be regularly conducted of any web applications to identify any potential vulnerabilities
  • application and web server whitelisting should be used to prevent unauthorised or unwanted execution of files
  • patches for online services (including the maintenance of information-only web pages) and associated web-servers should be actioned as a priority by the agency’s IT support the protection given to data storage devices must be commensurate with the business impact of the compromise of the aggregate of information stored on those devices
  • systems that store or host content should be resilient and responsive to incidents, crises and disasters.

For example:

  • Is ICT equipment, such as servers, protected from physical threats such as flooding, fire, power surges or access from unauthorised persons?
  • Is there a backup ICT system or business continuity plan in place should the primary system fail?
  • Are there plans/procedures in place for high volume usage/access during emergencies?

Page last modified: 5/08/2019