Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 81 of 425 accounts did notarise, and there was no verification on whether the policy was implemented in respect of these accounts. 240. Evidently, the need to apply the same password policies to local administrator accounts was overlooked by the Citrix Team and Woon Lan. In addition to this oversight, IHiS’ usual approach of implementing and enforcing password policies did not apply to local accounts for the SGH Citrix servers. 241. Password policies are usually effectuated in IHiS through the use of the Group Policy Object (“GPO”), which automate the implementation and enforcement of policies. GPOs should apply to all servers by default, except for groups of servers which have the block policy inheritance setting applied. Applying block policy inheritance prevents group policies from being inherited from these servers. The SGH Citrix servers were part one such group of servers which had group policy inheritance applied. As such, the GPOs implementing the complex password policy and policy for the deactivating of dormant accounts was not applied to the LA. account. 242. Lum has explained that the password was not meant to expire because it was the local administrator account that would be used as a last resort for accessing the server if administrators were unable to use their active directory domain administrator accounts for whatever reason. It is not apparent to the Committee how any of the password policies mentioned above would necessarily prevent the use of the account as a backup means of access, since all that is required is a proper process to be put in place to manage the change in passwords or disabling of the account due to it being dormant. 243. It also bears mention that the LA. account was last legitimately used on 13 October 2017, after the institution of the new password policy. While no evidence has been led on this particular point, it appears that the administrator who had used the account and presumably keyed in the password paid no heed to the fact that the password was against IHiS’ policies.
