COI Report – Part IV
Page 136 of 425
time of the Cyber Attack. In this regard, Benjamin did well by applying himself to the problem at hand, and to come up with the appropriate responses to the best of his abilities.
409. In contrast, Wee’s response was clearly inadequate. Under the IR-SOP, Wee was accountable for incident response. Despite being apprised of a series of investigations into what were, to Wee’s own admission, circumstances involving a potential risk to a CII system, and by a channel used specifically for reporting of security issues and risk (i.e. TigerConnect), he did not make further inquiries, and instead passively waited for updates.
410. This also raises the issue of whether the incident should have been escalated by Wee to IHiS’ senior management, and onto CSA. In the course of evidence, CSA has identified two facts which would, in themselves, have been sufficient reasons for escalation a) First, the unauthorised logins to Citrix Servers 2 and 4, which are both systems that were directly connected to a CII system and b) Second, the series of failed logins to the SCM database, which happened over short period of time and was indicative of persistent attempts at accessing a CII system.
411. The fact is that by 13 June 2018, Benjamin and Wee had been apprised of the events of 11 to 13 June 2018. Unlike Katherine and Lum who were unfamiliar with the IR-SOP and not trained insecurity matters, Benjamin and Wee had defined roles insecurity incident response under the IR-SOP, and were familiar with these roles. Wee, in particular, was both accountable for the incident response team, and responsible for escalation to the GCIO. The failure on the part of Wee and the CERT to even consider whether the incidents should be reported, is a cause for serious concern. It is also apposite to note at this point
SMD Lead Han Hann Kwang’s (“Hann Kwang”) evidence that by 13 June 2018, the incidents were “very suspicious” and that he (assuming he was in Wee’s
|
