Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 303 of 425 Attackers will target persons who are granted these exceptions and use one of their credentials to break into restricted systems. 40.3 Use of passphrases instead of passwords should be considered to reduce risk of accounts being compromised 883. Passwords have long been the preferred method of user authentication, but poor password practices cause security issues. Attackers have developed sophisticated and effective methods to brute force” 80 passwords. This means passwords can be compromised if they are weak or easy to guess. 884. Passwords appear to be significant weaknesses in IHiS’ cyber defences. The evidence shows that employees used passwords that met the most basic requirements of the password policy, but were not strong enough to resist compromise. IT administrators used simple passwords that were too easily decipherable. That “P@ssw0rd” was a commonly used password for privileged accounts, is deeply concerning. It is notable that weak passwords appear to have been a perennial problem for IHiS’ cyber defences – they were identified as vulnerabilities after penetration testing by the GIA at three local sites in FY. They were in fact also identified as persisting vulnerabilities, as they were not only identified in FY, but had been previously highlighted for remediation in the FY GIA Audit Report. 885. Reliance on passwords, and the ease with which attackers can defeat those passwords, has resulted in a negative feedback loop where users have been subjected to increasingly complex composition rules (uppercase, lowercase, numerals and special characters, increasing length requirements, and password expiry requirements. A brute force attack consists of an attacker trying many passwords with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords until the correct one is found
