Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page142/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   138   139   140   141   142   143   144   145   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

27 EVENTS OF 5 TO 8 JULY 2018
27.1 Meeting at am on 5 July 2018 between the Security and
Citrix Teams
516. At around am on 5 July 2018, a meeting was led by Ernest, with Wee and members of the CERT also in attendance, and with the Lum and the Citrix Team calling in. The attendees discussed the events of 4 July 2018, and the focus was on the security of the Citrix servers. Ernest was also trying to relate the events of 4 July 2018 with the earlier events of 26 June 2018.
517. With the understanding that RDP had been used to access Citrix Server 2 and that there was no hardware firewall between end-user workstations and Citrix Server 2, Ernest asked Lum if the builtin Windows firewall could be used to block RDP. Such a firewall rule was in fact instituted later on 5 July 2018.
518. The Citrix Team also changed their administrator passwords on the advice of the Security Management Department, out of concern that the passwords may have been compromised.
519. The fact that based on the logs neither the LA. nor the SA. accounts were used to login to Citrix Server 2 was also discussed.
520. Thereafter, Lum left the meeting and the discussion turned towards to forensic investigations that were being carried out. The CERT informed Ernest that investigations were still ongoing, but they had not found anything suspicious. It was also recognised that a problem they faced was that they only had one computer, Benjamin’s personal computer, on which digital forensic examinations were carried out.
521. On Wee’s part, he recalled that the discussion was about the SGH Citrix servers and the use of the SA. account to login to the servers. He did not think the use of the SA. account was a security incident, and “did not probe further as
to why there was a need for strengthening of the SGH server security”, simply


COI Report – Part IV
Page 166 of 425

on the basis that the SA. account “was a valid one”. He also did not link the contents of this discussion with the SQL queries that he was informed of the previous evening. Accordingly, he took no steps to report the matter, and left it to Ernest and the team to investigate further.
522. Benjamin asked at the meeting whether the matter should be escalated to
IHiS senior management, in light of everything that had happened in June 2018 and on 4 July 2018. However, Ernest took no such steps to do so, despite the fact that he was, by his own account, “bordering on the conclusion that this was a
security incident”.

Download 5.91 Mb.

Share with your friends:
1   ...   138   139   140   141   142   143   144   145   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy