24.7 Discussions between Ernest and the CERT on the events of 26
June 2018
452. The TigerConnect chat logs show that around pm to pm on 26 June 2018, members of the chat group were discussing the use of the SA. account. Ernest was enquiring why the account could be used to login to the server via
RDP, stating that such a means of access was “weird”, and asked if “even tat acct
got prob?”. Benjamin replied that it was “possible the attacker guessed the
password”. Shortly after, Ernest replied stating “guys pl secure yr citrix
accts…please…they oredi know yr passwords”.
453. While the face of the chat logs strongly indicates that there was awareness amongst the CERT and Ernest that they were dealing with an attacker, Ernest has sought to explain that (i) Benjamin was merely raising the possibility that an attacker guessed the password, but Ernest himself did not believe this, and (ii)
Ernest’s own statement that “they oredi know yr passwords” was “made up” by himself, “just to pressurise the Citrix Team to quickly secure the accounts”.
Ernest’s account is that he did not think they were dealing with a security incident at that point in time.
454. Likewise, Wee, who was then on medical leave, occasionally glanced at the updates sent by Benjamin in the TigerConnect group, but took no further action.
24.8 Assessment of IHiS’ incident response of 26 June 2018
455. To begin with, the events prior to 26 June 2018 were already highly indicative of a security incident. In the face of the events of 26 June 2018, it should have been abundantly clear that IHiS was facing a serious security incident that had to be reported. CSA has identified three facts which, in particular, underscore the seriousness of the events of the day a) First, the SA. account, which had been removed from the administrator group on 13 June 2018, was added back to the
|
