COI Report –
Part VIIPage
408 of
425 50 RECOMMENDATION #15: COMPETENCE OF COMPUTER SECURITY INCIDENT RESPONSE PERSONNEL MUST BE SIGNIFICANTLY IMPROVED #RESPONSE
PEOPLE DEVELOPMENT 1185. While IHiS does appear to have some in-house capability for dealing with cyber threats, the evidence shows that insufficient emphasis was placed on ensuring that security personnel were adequately trained and equipped to perform their functions effectively and competently. Although the IR-SOP does provide fora Security Incident Response Team (“
SIRT”), a Computer Emergency Response Team (“
CERT”), and a Security Incident Response Manager
(“
SIRM”), the reality was that
the CERT was almost untrained, poorly equipped, and badly led, as the SIRM was unsure of his role and functions. This section elaborates on how these shortcomings should be addressed. The key point is that security personnel must betaken seriously, and cannot simply be left to languish in obscurity without
adequate training and support, both managerial and material.
50.1 The Computer Emergency Response Team must be well trained to more effectively respond to security incidents 1186. When computer
security incidents occur, it is critical for an organisation to have an effective way to respond. Organisations which are adequately resourced establish in-house CERTs
116
, who act as first-responders to security incidents, when the need arises. Failure of these teams to quickly and effectively respond to security incidents can have far-reaching effects.
116
CERTs are also sometimes called Computer Security Incident Response Teams (“
CSIRTs”).
COI Report – Part VII
Page
409 of
425 1187. Composition of the CERT. The SingHealth
CERT was formed in March 2018 and comprised three people a) Benjamin b) Zac and c)
Azzlan.
1188. Out of the three members of the CERT, only Benjamin had been with IHiS fora significant period of time – Zac and Azzlan only joined IHiS in April and February 2018 respectively. The only training conducted for the CERT was a half-day course conducted by an external consultant on the use of forensic software. Benjamin had gone for one incident response course (“
Hacker Tools, Techniques and Incident Handling”
by SANS Institute, but had not otherwise received any formal incident response training. Zac and Azzlan did not receive any formal training for their roles. Furthermore, there was no reporting hierarchy within the CERT, and there were no proper procedures for assigning cases to members of the CERT.
1189. Deficiencies in CERT training. Vivek observed that the following deficiencies with the CERT’s training contributed to IHiS’ failure to mount a proper response to the Cyber Attack a) The team was provided training on how to use certain tools. However, this was only a half-day training. These tools
are very complex and advanced, and half a day is not enough to understand even the basic features of one of the two tools. Therefore, it is impossible that the CERT could have been adequately trained to use these two tools.
